As I mentioned in my previous post, I’m a firm believer in using blogs and RSS for distributed conversation. So, I’d like to start a conversation about the threat that spam and spyware pose to our little syndicated world. I brought this topic up with several companies who were at the Syndicate Conference, and I was disturbed to discover how few of them are even thinking about this pending problem.
Most of them replied, “Spam problem? But there isn’t one – if someone’s feed contains spam, everyone will just unsubscribe!” Well, yeah – but only if we subscribe to individual feeds, which I believe will take a backseat to aggregated feeds. I’ll use my own experience with the NewsGator acquisition as an example: hundreds of blogs contained news of the acquisition, but I was subscribed to very few of their feeds. Instead, I subscribed to dynamic search feeds – that is, keyword-based feeds powered by RSS search engines – which enabled me to listen in on the conversation. Very powerful indeed – but unfortunately, very spammable.
There are already fake spam blogs, many of which have RSS feeds. Most of the ones I’ve seen were created to influence search engine rankings, but it’s only a matter of time before they use their feeds for delivering spam (I’ll wager that some of them already do). These fake blogs are easy to set up, so as soon as one is taken down, it will re-appear somewhere else (much like their spyware-filled brethren, the warez sites), making it tricky to simply filter them out by their subdomain name. My guess is that the main reason we don’t see more RSS spam is simply because spammers are waiting for it to be profitable. Now that conferences such as Syndicate are attended not just by geeks and developers but also by investors, they’ve got to be thinking that the time is almost here. Create a bunch of fake blogs littered with popular keywords, and let their feeds be picked up by the RSS search engines (to their credit, some of the RSS search engine companies I talked with are already tackling this problem).
Even if I’m way off base about how spam will come to RSS, we all know that spammers will find a way to jump on the RSS bandwagon. Given past history, every new social technology needs to think about spam right from the start, or else risk being crippled by it (side note: many implementations of tagging also strike me as being spammable).
Related to this is the fact that RSS enclosures (a.k.a. “podcasts”) must look attractive to spyware creators. Before I added podcast features to FeedDemon, I took a look at how a few of the existing tools were handling them. To my surprise, security didn’t seem to be a big concern – they’d even download EXE enclosures, perhaps assuming that the user’s anti-virus software would stop them from being executed if they were malware. Couple automatic enclosure downloading with dynamic search feeds which contain enclosures, and you’ve got a great spyware delivery system. This is why I made sure that FeedDemon used a safe list for downloading enclosures.
If you make a living from RSS, I hope you’ll join in this conversation – either here or in your own blog – and let everyone know whether you’re thinking about this problem (or, just let me know I’m full of it if you disagree that it’s a threat).
Nick Bradbury: RSS, Spam and Spyware
Nick Bradbury wrote an interesting post about spam on rss. Interesting take he has and is worth reading. Link: Nick Bradbury: RSS, Spam and Spyware.
Nick,
First off, it was a pleasure meeting you this week. Congrats again.
We’ve been somewhat hindered by the onslaught of spam feeds; while they pose little to no threat to the individual subscriber, to the aggregation services, they represent a problem. We’ve had to move to a more closely monitored system for adding feeds to our index, in an attempt to identify and squash valueless feeds before they get into our index. We’ve been fairly successful, but need to come up with more automated ways of addressing the issue. In addition to spam, there is the issue of content that is copied, quoted or plagarized from other sites; most, if not all, services at this point just do raw date sorting, which often causes duplicate content results. It’s not really spam, but it should be handled better by the engines.
There might be some collaborative ways of fighting spam; one idea is for communities like Syndic8 might be able to utilize their extensive active user base to flag feeds.
There is a lot more to talk about, but you are correct: this is a major issue and has yet to be addressed sufficiently.
Is NewsGator in any way related to GAIN/Gator ads and spyware?
Well its a big issue but its not RSS specific. Spam won’t be solved soon IMO. It’s an arms race… a war of attrition.
All you really can do is make it asymetric for attackers so its hard to spam.
Though… actually… I’ve solved the spam problem. I’ll sell it to you for $19.95… just click on this link!
:)
Jason, NewsGator is in no way associated with the Gator spyware company – if they were, I wouldn’t have joined them. I plan to blog about this shortly, but in the meantime, please see this post from Greg Reinacker:
http://www.rassoc.com/gregr/weblog/archive.aspx?post=735
Thanks very much for the NewsGator vs. GAIN/Gator clarification. The possibility totally freaked me out.
In RSS we trust
Nick Bradbury:
“…I’d like to start a conversation about the threat that spam and spyware pose to our…
RSS, Spam and Spyware
So, in a sense it is possible to have a little bit of a spam leak in a topic that is being threaded via RSS. Hey , nothing is perfect. But to hear this from the man himself…it is disturbing…
Surprisingly this is what I received today from BlogWare (owned by Tucows)
‘Recently, Blogware has been abused by a new type of application that
is installed on users’ machines and takes advantage of Service
Provider’s free trials, and creates hundreds of moblogging posts on
an account in order to promote another site’s search engine ranking.’
SPAM has arrived :(
Technorati takes antispam seriously as a quality of service issue. As you mentioned, if someone subscribes to a feed and it is all garbage they will turn off the feed and stop using the service.
At $75 a keyword for a single click in some cases the war against spam is a difficult one, but we will keep fighting the good fight.
the only way i can see spam being stopped is through a third party provider much like email spam is dealt with from antivirus firms (pc-cillin etc) , on feed retrieval a call to their online db for a certain feed url as known spam?
The feed reader creater could pay for this extra security which in favor is passed to the user much like windows protection.
However you check and deal with the situation short term , spam writers will be able to modify their feeds to get through in the long term.
Weren’t there some ‘Gator’ products a couple of years ago associated with some of the worst spyware?
Anything to do with NewsGator?
Social Software Considerations for XML Clients
Nick Bradbury, creator of FeedDemon (which was just acquired by NewsGator last week) has just put up a terrific analysis of the considerations all developers of RSS and Atom aggregators and syndication clients should be keeping in mind with regard…
RSS Spam
Comment spam and TrackBack spam has been a problem for bloggers for quite some time now. Nick Bradbury has outlined why RSS spam will be next. I don’t subscribe to many search feeds but I do subscribe to several planet aggregations.
Nick seems to thi
Nick: This post is directed specifically at folksonomic spam, but it applies pretty evenly to plain ol’ syndication spam.
http://admin.support.journurl.com/?mode=article&entry=2752
The future is in syndication proxies.
Publishers protest Google, how to fake a fingerprint
Publishers Protest Google Library Project A group of academic publishers is challenging Google Inc.’s plan to scan millions of library books into its Internet search engine index, highlighting fears that the ambitious project will violate copyrights an…
Links from all over: Publishers protest Google, how to fake a fingerprint, etc.
Publishers Protest Google Library Project A group of academic publishers is challenging Google Inc.’s plan to scan millions of library books into its Internet search engine index, highlighting fears that the ambitious project will violate copyrights an…
Links from all over: Publishers protest Google, how to fake a fingerprint, etc.
Publishers Protest Google Library Project A group of academic publishers is challenging Google Inc.’s plan to scan millions of library books into its Internet search engine index, highlighting fears that the ambitious project will violate copyrights an…
Spam und Spyware bald auch via RSS?
Nick Bradbury, Autor des kürzlich von Newsgator übernommenen RSS-Readers “FeedDemon”, fürchtet, dass Spam und Spyware (über Enclosures) bald auch RSS-Feeds infiltrieren werden — besonders ärgerlich für Nutzer, die aggregierte &…
Nick, here is a very handy GreaseMonkey script to remove RSS ads. The user will always prevail.
http://philmccluskey.com/wp-content/greasemonkey/RSSAdFilter.user.js
http://www.corante.com/mooreslore/archives/2004/11/17/rss_spam.php — This is a great conversation. I first wrote about it last November and was heavily ridiculed for it.
Thanks, Nick!