Michael Jensen shows that it is quite easy to spam MyBlogLog (recently acquired by Yahoo), and he used TechCrunch as the guinea pig for his experiment. We, like many other blogs, display the MyBlogLog widget (right bottom sidebar), which shows recent visitors, along with their photo, to the site.
All he did was create a new account with the advertising he wanted included as the image. He then opened TechCrunch in the Opera browser and set it to autorefresh every minute or so. The result was that the “user” kept coming back to TechCrunch and popping to the top of the widget. Some of the traffic that clicked through to the user page on MyBlogLog made its way back to the destination site.
Given how easy this is to do, it’s certainly worth the effort. Jensen quickly expanded his test to include twenty other blogs. I hadn’t noticed this, but MyBlogLog founder Scott Rafer did, and pinged me about it. He says they’ll be blocking this kind of behavior in the near future.
There’s lots of other spam on MyBlogLog, although most of it is in the messages users can leave for other users on their pages. Not much harm there beyond a messy MyBlogLog site, and I’m sure they’ll be taking measures to limit that over time, too.
By the way, Jensen says he did all this just to point out the flaw in MyBlogLog, not to actually spam sites.
Update: I hadn’t seen this before, but in the comments below Richard MacManus points out that Emre Sokullu made a script to to this as well.
A little advice to Scott Rafer: never say you’re going to implement a spam solution “momentarily.” If spammers really want to use your service to spam, they are ten times smarter than you and much more motivated.
Don’t go down the Bill Gates path (he claimed that spam would be eradicated by now and instead it’s gone up dramatically).
Drama – actually, that was an incorrect quote and I removed it. Scott said they’d be getting it sorted out this week or next, and we were having a very informal conversation about it. It’s annoying but it certainly isn’t something that has to be addressed immediately. I never even noticed the spam.
Thanks for the mention, it will be interesting to see what is implemented to prevent this. I would guess that they could check simultaneous and repetitive refreshes, but they’ll have to do more than checking for consistent time periods because a script could be easily written to randomize the periodicity.
Emre Sokullu actually wrote a test script that automates the process. I mentioned it in my post about mybloglog, that spam is a potential issue. Anyway here is Emre’s post about it:
http://grou.ps/...llu.blog/?p=178
This tactic was very obvious from the beginning – but because MyBlogLog was new, it was not newsworthy.
Of course, one idea would be to make a minimun time interval between so called visitor refreshes.
Or if it gets EXTREME, a once an hour – or once a day option – with an archived visits link page, where the ultra curious could click to see the visitors for the entire day – or for hours (however one wants to customize it)
It is so sad, that this budding technology, has to now face the harsh realities of life.
But….
Interesting…
These days I do a lot of surfing and do go back to many sites in an hour looking for news or just more things to read cause I’m bored and not Spamming.
If TV wasn’t so Boring I might watch more of it.. hehe
What’s to keep someone from posting nudie pics as their avatar (which I’ve seen on occassion), and then running this script on a bunch of Christian or Kids sites?
I’ve always felt that spam would eventually be the biggest problem with MyBlogLog. It’s so easy to contact people that it’s inevitable. As a small community of bloggers, it’s not a big deal, but what if 100,000+ blogs and spammers start using it?
Anita
This possibility — and inevitability of this new form of comment-spamming was what delayed me putting it on my blog in the first place. However, I (and I’m sure many others) suggested early on that there be some means of blocking someone I thought was appearing on my blog for spamming purposes — or other negative reasons. Several weeks ago, they implemented a blocking feature — a little “x” on the photo of a “recent reader” — just click on the x and you’ll ban the person from your site. It’s not a complete solution to what you’re describing — but it is a recognition by the mybloglog team that a small set of scum will look for ways to misuse the service.
@Drama — You are right; there is no spam solution, nor did we promise one. Nor did Mike say we did. We expect that keeping spam to a reasonable level will require a consistent effort forever. We simply know how to address this particular sort of attack and will do so.
When one is fortunate enough to have partners like TechCrunch, it’s important to let them know that we’re seeking out the problems, doing our best to notice them first, and starting the process of addressing them immediately.
Say No to Crack: you’ve just glimpsed the future. If MyBlogLog ever becomes more mainstream, these types of things will occur more and more frequently. And you don’t need to run the script on religious sites. Spam is primarily profit motivated. So post photos of beautiful women (scantilly-clad), and you can be sure that guys will click. Now you have free advertising. When you consider that many blogs using MyBlogLog are selling advertising, MyBlogLog actually becomes an advertising medium. You don’t have to pay for ads, just create fake MyBlogLog profiles and run an automated script. Since everything is automated and your cost of running this is zero, it doesn’t take much to make this worthwhile (assuming MyBlogLog ever gets out from the techie niche).
MySpace, which is filled with this type of spam, is a good example of what any popular “Web 2.0″ site is going to have to face. Victims of their own success.
My Golly Gosh.. Who at Yahoo did the tech eval when aquirring this? The flaw smacks of a first year web programmers knowledge.
One could say on a service like this, spamming like this is *impossible* to stop, you can only slow it down
Sure you have checks for the same IP adreess, referrers, calls out to 3rd parties (ie:Akismet), blocked words, deny frequencies, cookie checks, etc… But unfortunately with the inherent technical nature of the internet is random and anonymous so some-one can always hack or fake the information sent.
Being an architect of some of Australia’s major sites, over the years I’m well aware of this problem, it’s going to take quite an effort for them to stop it and they will have to do it quickly otherwise…
Dare I say an expensive flop 2.0??
Simon – well, $10M isn’t that expensive for yahoo, and I’m sure they’ll come up with some solution. My guess is that they’ll do one of the following:
1. Eventually disable avatars in the widget
2. Only show avatars of non-paying members
3. (most likely) Track how many blogs you’ve been to in the past X hours and temporarily/permanently disable accounts for those who click on too many
Since the news broke, I am no longer so hot on MyBlogLog so I tried to unregister but I found no such option at MyBlogLog. From now on, I am not going to signup for any web service that doesn’t offer an obvious exit door. I like the MyBlogLog guys and I am happy that they found a lucrative exit, but they are taking advantage of me if they don’t offer an easy exit for me.
Michael, I got an answer to this post from a friend working at Yahoo, you may want to check it out; http://www.emre...ullu.com/?p=179 – he first says they’ll take care of it as in the case of del.icio.us but then admits how hard it is.. My solution is to set a daily appearance limit for everyone. But this system is inevitably open to gaming.
And also see this for instance: http://www.mybl...rs/ilkeryoldas/ – he’s making traffic by spamming people with irrelevant messages. Yet another technique of abusing MyBlogLog.
PLEASE PLEASE PLEASE take some of that money to re-design that site. I can’t look at it anymore! (nor do I want to, as I believe the service is *totally* useless and only contributes to the growing Attention-deficit disorders among Web 2.0 users.
Well, the problem will get fixed or it won’t. Worse case, we get a lot more advertising real estate if we pull it down.
kidding, kidding.
I take the service MyBlogLog since 3 Weeks and i hope, that this Service will keep Spamfree in the Future. I like the Functions of MyBlogLog.
Mike – great timing on your post. I just noticed some suspect spam in the TechCrunch Community comments on MyBlogLog earlier tonight. I’m also seeing some disturbing trends on many of the socially driven sites and just wrote about the danger that spammers bring to the socially-driven sites like MyBlogLog, Digg, Del.icio.us, and just about ever other popular site out there right now. I get the sense of impending doom unless the socialsoftware dev gurus can figure out how to add the evolutionary checks and balances to combat the spammers. What do you think?
Well, this was obviously going to happen, and has probably been happening for a while now. In the last month I’ve spotted some names come up *vastly* more often in the Techcrunch faceroll than was likely from a random sampling of of the techcrunch mybloglog community. One called “Clickfire”, and one or two others, all of whom turned out to be offering SEM/SEO services, surprise, surprise….
Some people say you should always assume that your new service will be used for spam one way or another, and plan accordingly, but if in this day and age you can manage a $10m Yahoo buyout *before* it becomes a real problem, then maybe that’s something you shouldn’t bother to worry about from day one after all.
We made some advertising for our new widgets appearing with four users at the same time on mybloglog so they (the 4 fake profiles) write a phrase for readers.
The project code was http://www.logbuzz.net
See a marketing article about it : http://www.lavi...loite-mybloglog
Spamming (gently) mybloglog was fun. And when i told Scott a month ago he did not seems very upset with it. After all it’s PV and traffic.
Seth: That’s nothing to be particularly surprised about (even in your sarcastic way). SEM/SEO firms are often on top of the promising Web 2.0 communities. But prominent SEO bloggers (those who use MyBlogLog) are generally not “offering SEM/SEO services” as you claim; they just maintain SEM/SEO blogs. It is important to make that distinction.
I think that pretty much any new site that gets users fast and allows interactivity goes thru these growing pains. Human nature is to seize advantage of anything possible for benefit, so these types of exploits should have been expected. Deal with them as they pop up and move on.
I agree with William, these are just growin pains at MBL.
Honestly, it would be a good problem to have…
@WilliamC and @Josh. Thank you. We’re doing our best to prove you guys right.
I don’t see how they can protect against this spam without effecting users and the functionality of the “readers” widget.
If i browse techcrunch for an hour, reading on average one page a minute, Would my activity be flagged as spam?
@kbox — I love techcrunch too, but are you really going to read sixty articles at a sitting?
Really? I didn’t even notice the advertisement because it was mixed in with all the other obnoxious advertisements on your site. I pretty much ignore anything past the right edge of the text column.
I find MyBlogLog to be pretty poor in the few days that I have been on it and added my own site. I am not here to bash MyBlogLog, I just find the layout to be so-so, as well as the color scheme pretty, gross.
The UI seems a bit weird, so does the layout and the overall “work” flow of the site.
This spamming only adds to my already low first impression of this site in the short time I have been using it.
There also seems to be a small bug with the myblog avatar creator. It is sometimes possible to sneak animated gifs through – you can see my test showing on my account if you go Gareth_Davies.
I am not out to Spam – it was just a test and I will remove shortly. Even though it doesn’t always work every time, it is prob wise for them to look into stopping animated gifs running don’t you think?
One site is showing it works. 20 is spamming. He was spamming.
I only just noticed that my picture shows up at the bottom of the screenshot! Horror, now hnsbro and me look like spammers too. For the record, Mike, I did *not* land on that screenshot using the technique described by Michael Jensen
I guess I must have been reading too much Techcrunch lately.
I just want to confirm that I actually visited the site…
This is the first web 2.0 whatever site I’ve felt compelled to join and it seems like a decent experiment (if a bit overweighted with early adopter SEO types…). It has potential to take bloggers past the Technorati “how are my stats” stage to actually building communities of like mind. IF it doesn’t get hammered by the bots…
Sure that will be exploited more soon. Wonder how MyBlogLog will handle this? How can one tell if a user is genuinely visiting pages or having a bot visit them?
I must say that my evil mind thought about doing this myself before this article was even posted. I noticed that when I was logged into mybloglog, my little avatar for it was appearing on the front page of TechCrunch. Then, I noticed I had some people adding me as contacts on mybloglog. I put two and two together and realized that they must have been coming from that. Then I thought about the auto refresh, and so on.
I wouldn’t do it, because I think it’s the wrong way to go about things, but I do hope you keep the mybloglog script up on the front page because it’s pretty nifty. I promise not to abuse it
Spamming TechCrunch works!:
http://www.tony...nch-experiment/
The entire MyBlogLog community is *not* secure…it is open to all kinds of scripted attacks…you can even steal someone’s identity quite easily!
http://www.cooq...ation-security/
No one has mentioned the obvious here – while this may be an insecurity of sorts, this type of “spam attack” wouldn’t very effective in the traditional sense. Sure, I can get the widget to point back to my MyBlogLog profile, but that doesn’t directly help *my* site; it helps the MyBlogLog site.
Understand, by using the term “help”, I’m referring to the main reasons automated blog spam exists:
1. To siphon off of a popular site’s PageRank
2. To drive spam emails via automated comment notification systems
3. To display a *direct*, clickable link to another site
We’d *all* like the positive benefits these three mechanisms provide, but the main difference between spam and normal commenting is that the spam comments are entirely irrelevant and unwanted by anybody but the spammer.
If there’s a genuine interest in clicking through to my site from the MBL dashboard, I think it’s probably legitimate (i.e. the reader actually had some interest in the content).
In Philippine Wire, I used half size picture with no username. With the size of the picture, any text will is not readeable.
Hi Michael ,I don’t agree about this.My opinion is mybloglog is great tool and every blogger should used it.The rest I think as below:-
1.spam actually have at every where even in email,others social networking and in comment section as well
2.As human we are better than machine so we know how to determine which fake user and control it manually.
3.cheating 1-2 attempt can work but at the end it’s will be ignored by others.
4.personally when i seen my picture on recent reader at blog were embed the code I’m fell the author appreciate me as visitor.I love this one!!.
5.We have option to accept the contact.(That power we have) first I’m accept them were add me,if their have another agenda simply punish them.
6.Finally only visit and read who’s are real contact that all Michael .
7.This is not spam and am here around 30 minute..:D
i dont know hot to spam my site… i want tools for spamming my site