Feeds

Interview with a link spammer

It's nothing personal...

  • alert
  • submit to reddit

SANS - Survey on application security programs

Exclusive Sam - let's call our interviewee Sam, it's suitably anonymous - lives in a three-bedroom semi-detached house in London, drives a vintage Jaguar and runs his own company. But "it's not not all rock and roll and big money", says Sam. What isn't? Spamming websites and blogs with text to pump up the search engine rankings of sites pushing PPC (pills, porn and casinos), that's what.

For that's what Sam does, pretty much all day long. He - we'll use the male notation, it's easier - would do this anyway for fun, but it's more than fun; he says he can earn seven-figure sums doing this. Sam is a link spammer. He's unapologetic about it. Skilled in Perl, LWP and PHP, Sam's first professional programming was done aged 13, when he sold some code to a gaming company. He's 32 now, and spoke to The Register on condition of anonymity.

So how and why do "link spammers" - as they generically call themselves - do it? Are they the same as the email spammers? What do they think of what they do, ethically? And what can stop them? If you're affected by this spam, say because you run a blog, or a website, or like the other 99.9 per cent of Net users just come across the stuff, Sam explain the important thing to remember is it's nothing personal. They're not targeting you personally. They're just exploiting a weakness in a system which blossomed just at the time that Google cracked down on the previous method that spammers used, where huge "link farms" of their own web sites pointed circularly to each other to boost each others' ranking.

"It was around December 2003: Google did what was called the 'Florida update'. It changed the algorithm that measured how high a site should be ranked to spot 'nepotistic' links and devalue them. So if you had a link farm of sites with different names which linked heavily to each other, they were pushed down," explains Sam.

So the link spammers - who prefer to call themselves "search engine optimisers", but get upset when search engines do optimise themselves - turned to other free outlets which Google already regarded highly, because their content changes so often: blogs. And especially blogs' comments, where trusting bloggers expected people to put nice agreeable remarks about what they'd written, rather than links to PPC sites. Ah well. Nothing personal.

"Comment spamming to blogs was going on before the Florida update, but it rose after that," says Sam. "All we need is a website that allows some interaction." Photo galleries based around PHPGallery - which allows votes and comments - are easy targets too. So many of them allow anyone to leave a comment.

For even a semi-competent programmer, writing programs that will link-spam vulnerable websites and blogs is pretty easy. All you need is a list of blogs - which again, even a semi-competent programmer will be able to pull together (by searching for sites with keywords such as "Wordpress", "Movable Type" and "Blogger") a huge list of blogs to hit.

More than competent

And people like Sam are much more than competent. "You could be aiming at 20,000 or 100,000 blogs. Any sensible spammer will be looking to spam not for quality [of site] but quantity of links." When a new blog format appears, it can take less than ten minutes to work out how to comment spam it. Write a couple of hundred lines of terminal script, and the spam can begin. But you can't just set your PC to start doing that. It'll get spotted by your ISP, and shut down; or the IP address of your machine will be blocked forver by the targeted blogs.

So Sam, like other link spammers, uses the thousands of 'open proxies' on the net. These are machines which, by accident (read: clueless sysadmins) or design (read: clueless managers) are set up so that anyone, anywhere, can access another website through them. Usually intended for internal use, so a company only needs one machine facing the net, they're actually hard to lock down completely.

Sam's code gets hundreds of open proxies to obediently spam blogs and other sites with the messages he wants posted. They usually target comments to old posts, so they won't show up to people reading the latest ones, though search engine spiders will spot them and index them. And here's the surprising thing: link spamming is not outsourced. These people do it on their own behalf. (Does this mean it's an immature business? Reg readers please advise.)

Here's why. When Sam spams tons of blogs and sites with links to his sites - which are affiliates of bigger PPC sites - people see the links and, seeking some porn, pills or casino action, click through to his site, and from there to the parent site, which pays Sam for each person landing there. The PPC sites can see revenues of £100,000 to £200,000 per month, says Sam. He gets a slice of that - and he wants it to stay that way.

Perhaps the affiliate system could be seen as a form of outsourcing: the top-level site gets lots of people competing to find the best way to get visitors to the site. Darwin would understand. Link spamming, with its abuse of common resources, turns out the most efficient, just as cutting down virgin Indonesian and Amazonian rain forest is the most efficient way for loggers there to get wood. If it raises the global temperature of the blogging community, well, that's life on planet internet, isn't it?

Why not just buy a Google ad, Sam? "You don't get anything like the same click-through ratio. Jakob Nielsen's studies and my own show you get six or seven times more click-throughs from 'organic' search results. And pay-per-click on search engines costs money! It can be £20 per click! We pay nothing to get an organic result." But what about the moral question, that you're using other peoples' bandwidth and blog space and abusing it by putting your commercial message there? "The question of morals is one for the individual. While it's legal, it will continue. It could be argued that a website owner is actually inviting content to their site when they allow comments."

When Sam begins a spam run, he has one target, though he'll accept any of six. Principal one: come top of the search engines for his chosen site's phrase. "But you'll accept coming in at 1,2 or 3, or if you come at 8,9 or 10. Actually, 8, 9 and 10 have better conversion rates. I don't know why. Maybe the eyes fix on it when you scroll down the page." And the cost of doing it? Once the code is written, pretty much zero. "Bandwidth is cheap," he says. "You set it going in the evening and come back in the morning to see how it's gone."

High performance access to file storage

Next page: The legal question

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.