Feeds

Interview with a link spammer

It's nothing personal...

  • alert
  • submit to reddit

Seven Steps to Software Security

Exclusive Sam - let's call our interviewee Sam, it's suitably anonymous - lives in a three-bedroom semi-detached house in London, drives a vintage Jaguar and runs his own company. But "it's not not all rock and roll and big money", says Sam. What isn't? Spamming websites and blogs with text to pump up the search engine rankings of sites pushing PPC (pills, porn and casinos), that's what.

For that's what Sam does, pretty much all day long. He - we'll use the male notation, it's easier - would do this anyway for fun, but it's more than fun; he says he can earn seven-figure sums doing this. Sam is a link spammer. He's unapologetic about it. Skilled in Perl, LWP and PHP, Sam's first professional programming was done aged 13, when he sold some code to a gaming company. He's 32 now, and spoke to The Register on condition of anonymity.

So how and why do "link spammers" - as they generically call themselves - do it? Are they the same as the email spammers? What do they think of what they do, ethically? And what can stop them? If you're affected by this spam, say because you run a blog, or a website, or like the other 99.9 per cent of Net users just come across the stuff, Sam explain the important thing to remember is it's nothing personal. They're not targeting you personally. They're just exploiting a weakness in a system which blossomed just at the time that Google cracked down on the previous method that spammers used, where huge "link farms" of their own web sites pointed circularly to each other to boost each others' ranking.

"It was around December 2003: Google did what was called the 'Florida update'. It changed the algorithm that measured how high a site should be ranked to spot 'nepotistic' links and devalue them. So if you had a link farm of sites with different names which linked heavily to each other, they were pushed down," explains Sam.

So the link spammers - who prefer to call themselves "search engine optimisers", but get upset when search engines do optimise themselves - turned to other free outlets which Google already regarded highly, because their content changes so often: blogs. And especially blogs' comments, where trusting bloggers expected people to put nice agreeable remarks about what they'd written, rather than links to PPC sites. Ah well. Nothing personal.

"Comment spamming to blogs was going on before the Florida update, but it rose after that," says Sam. "All we need is a website that allows some interaction." Photo galleries based around PHPGallery - which allows votes and comments - are easy targets too. So many of them allow anyone to leave a comment.

For even a semi-competent programmer, writing programs that will link-spam vulnerable websites and blogs is pretty easy. All you need is a list of blogs - which again, even a semi-competent programmer will be able to pull together (by searching for sites with keywords such as "Wordpress", "Movable Type" and "Blogger") a huge list of blogs to hit.

More than competent

And people like Sam are much more than competent. "You could be aiming at 20,000 or 100,000 blogs. Any sensible spammer will be looking to spam not for quality [of site] but quantity of links." When a new blog format appears, it can take less than ten minutes to work out how to comment spam it. Write a couple of hundred lines of terminal script, and the spam can begin. But you can't just set your PC to start doing that. It'll get spotted by your ISP, and shut down; or the IP address of your machine will be blocked forver by the targeted blogs.

So Sam, like other link spammers, uses the thousands of 'open proxies' on the net. These are machines which, by accident (read: clueless sysadmins) or design (read: clueless managers) are set up so that anyone, anywhere, can access another website through them. Usually intended for internal use, so a company only needs one machine facing the net, they're actually hard to lock down completely.

Sam's code gets hundreds of open proxies to obediently spam blogs and other sites with the messages he wants posted. They usually target comments to old posts, so they won't show up to people reading the latest ones, though search engine spiders will spot them and index them. And here's the surprising thing: link spamming is not outsourced. These people do it on their own behalf. (Does this mean it's an immature business? Reg readers please advise.)

Here's why. When Sam spams tons of blogs and sites with links to his sites - which are affiliates of bigger PPC sites - people see the links and, seeking some porn, pills or casino action, click through to his site, and from there to the parent site, which pays Sam for each person landing there. The PPC sites can see revenues of £100,000 to £200,000 per month, says Sam. He gets a slice of that - and he wants it to stay that way.

Perhaps the affiliate system could be seen as a form of outsourcing: the top-level site gets lots of people competing to find the best way to get visitors to the site. Darwin would understand. Link spamming, with its abuse of common resources, turns out the most efficient, just as cutting down virgin Indonesian and Amazonian rain forest is the most efficient way for loggers there to get wood. If it raises the global temperature of the blogging community, well, that's life on planet internet, isn't it?

Why not just buy a Google ad, Sam? "You don't get anything like the same click-through ratio. Jakob Nielsen's studies and my own show you get six or seven times more click-throughs from 'organic' search results. And pay-per-click on search engines costs money! It can be £20 per click! We pay nothing to get an organic result." But what about the moral question, that you're using other peoples' bandwidth and blog space and abusing it by putting your commercial message there? "The question of morals is one for the individual. While it's legal, it will continue. It could be argued that a website owner is actually inviting content to their site when they allow comments."

When Sam begins a spam run, he has one target, though he'll accept any of six. Principal one: come top of the search engines for his chosen site's phrase. "But you'll accept coming in at 1,2 or 3, or if you come at 8,9 or 10. Actually, 8, 9 and 10 have better conversion rates. I don't know why. Maybe the eyes fix on it when you scroll down the page." And the cost of doing it? Once the code is written, pretty much zero. "Bandwidth is cheap," he says. "You set it going in the evening and come back in the morning to see how it's gone."

Mobile application security vulnerability report

Next page: The legal question

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.