Interview with a link spammer
It's nothing personal...
Exclusive Sam - let's call our interviewee Sam, it's suitably anonymous - lives in a three-bedroom semi-detached house in London, drives a vintage Jaguar and runs his own company. But "it's not not all rock and roll and big money", says Sam. What isn't? Spamming websites and blogs with text to pump up the search engine rankings of sites pushing PPC (pills, porn and casinos), that's what.
For that's what Sam does, pretty much all day long. He - we'll use the male notation, it's easier - would do this anyway for fun, but it's more than fun; he says he can earn seven-figure sums doing this. Sam is a link spammer. He's unapologetic about it. Skilled in Perl, LWP and PHP, Sam's first professional programming was done aged 13, when he sold some code to a gaming company. He's 32 now, and spoke to The Register on condition of anonymity.
So how and why do "link spammers" - as they generically call themselves - do it? Are they the same as the email spammers? What do they think of what they do, ethically? And what can stop them? If you're affected by this spam, say because you run a blog, or a website, or like the other 99.9 per cent of Net users just come across the stuff, Sam explain the important thing to remember is it's nothing personal. They're not targeting you personally. They're just exploiting a weakness in a system which blossomed just at the time that Google cracked down on the previous method that spammers used, where huge "link farms" of their own web sites pointed circularly to each other to boost each others' ranking.
"It was around December 2003: Google did what was called the 'Florida update'. It changed the algorithm that measured how high a site should be ranked to spot 'nepotistic' links and devalue them. So if you had a link farm of sites with different names which linked heavily to each other, they were pushed down," explains Sam.
So the link spammers - who prefer to call themselves "search engine optimisers", but get upset when search engines do optimise themselves - turned to other free outlets which Google already regarded highly, because their content changes so often: blogs. And especially blogs' comments, where trusting bloggers expected people to put nice agreeable remarks about what they'd written, rather than links to PPC sites. Ah well. Nothing personal.
"Comment spamming to blogs was going on before the Florida update, but it rose after that," says Sam. "All we need is a website that allows some interaction." Photo galleries based around PHPGallery - which allows votes and comments - are easy targets too. So many of them allow anyone to leave a comment.
For even a semi-competent programmer, writing programs that will link-spam vulnerable websites and blogs is pretty easy. All you need is a list of blogs - which again, even a semi-competent programmer will be able to pull together (by searching for sites with keywords such as "Wordpress", "Movable Type" and "Blogger") a huge list of blogs to hit.
More than competent
And people like Sam are much more than competent. "You could be aiming at 20,000 or 100,000 blogs. Any sensible spammer will be looking to spam not for quality [of site] but quantity of links." When a new blog format appears, it can take less than ten minutes to work out how to comment spam it. Write a couple of hundred lines of terminal script, and the spam can begin. But you can't just set your PC to start doing that. It'll get spotted by your ISP, and shut down; or the IP address of your machine will be blocked forver by the targeted blogs.
So Sam, like other link spammers, uses the thousands of 'open proxies' on the net. These are machines which, by accident (read: clueless sysadmins) or design (read: clueless managers) are set up so that anyone, anywhere, can access another website through them. Usually intended for internal use, so a company only needs one machine facing the net, they're actually hard to lock down completely.
Sam's code gets hundreds of open proxies to obediently spam blogs and other sites with the messages he wants posted. They usually target comments to old posts, so they won't show up to people reading the latest ones, though search engine spiders will spot them and index them. And here's the surprising thing: link spamming is not outsourced. These people do it on their own behalf. (Does this mean it's an immature business? Reg readers please advise.)
Here's why. When Sam spams tons of blogs and sites with links to his sites - which are affiliates of bigger PPC sites - people see the links and, seeking some porn, pills or casino action, click through to his site, and from there to the parent site, which pays Sam for each person landing there. The PPC sites can see revenues of £100,000 to £200,000 per month, says Sam. He gets a slice of that - and he wants it to stay that way.
Perhaps the affiliate system could be seen as a form of outsourcing: the top-level site gets lots of people competing to find the best way to get visitors to the site. Darwin would understand. Link spamming, with its abuse of common resources, turns out the most efficient, just as cutting down virgin Indonesian and Amazonian rain forest is the most efficient way for loggers there to get wood. If it raises the global temperature of the blogging community, well, that's life on planet internet, isn't it?
Why not just buy a Google ad, Sam? "You don't get anything like the same click-through ratio. Jakob Nielsen's studies and my own show you get six or seven times more click-throughs from 'organic' search results. And pay-per-click on search engines costs money! It can be £20 per click! We pay nothing to get an organic result." But what about the moral question, that you're using other peoples' bandwidth and blog space and abusing it by putting your commercial message there? "The question of morals is one for the individual. While it's legal, it will continue. It could be argued that a website owner is actually inviting content to their site when they allow comments."
When Sam begins a spam run, he has one target, though he'll accept any of six. Principal one: come top of the search engines for his chosen site's phrase. "But you'll accept coming in at 1,2 or 3, or if you come at 8,9 or 10. Actually, 8, 9 and 10 have better conversion rates. I don't know why. Maybe the eyes fix on it when you scroll down the page." And the cost of doing it? Once the code is written, pretty much zero. "Bandwidth is cheap," he says. "You set it going in the evening and come back in the morning to see how it's gone."
The legal question
But what about the legal question? Here's where Sam distances himself, very definitely, from email spammers - particularly those who use tailored viruses to turn broadband-linked PCs into spam generators. "I'm using badly-configured proxy servers. I believe that's different from those which are hacked. But I speak to the top seven or eight link spammers, and they don't use bot PCs. People who do blog spamming won't be doing email spamming."
Using proxy servers, Sam argues, is legal. (There seems to be some confirmation of this: you're not altering the machine's configuration, which would be illegal under the Computer Misuse Act, you're just using it to do something.) Sending viruses and using bots is not. "As well as being illegal, how much email spam gets through? The big link spammers, and me, we don't want to end up sharing a cell with a 300-pound guy called 'Bubba'. The moral argument, of whether this is the 'right' thing to do, is for the individual," says Sam. "The legal question is another matter."
In fact, the law would probably favour Sam. It's hard to argue the difference between a person using a computer to post a comment, and a person using a computer to use a computer to post a comment. Will the initiative by Google, Yahoo and MSN, to honour "don't follow" links defeat Sam and his ilk? "I don't think it'll have much effect in the short, medium or long term. The search engines caused the problem" - we didn't quite follow this bit of logic, but Sam continued - "and they're doing this to placate the community. It won't work because most blogs and forms are set up with the best intentions, but when people find hard graft has to go into it they're left to rot. To use this, they'll all have to be updated. The majority won't be. And there'll just be trackback spamming."
By this Sam means spammers setting up their own blogs, and referencing posts on zillions of blogs, which will then incestuously point back to the spammer, whose profile is thus raised. So what does put a link spammer off? It's those trusty friends, captchas - test humans are meant to be able to do but computers can't, like reading distorted images of letters. "Even user authentication can be automated." (Unix's curl command is so wonderfully flexible.)
"The hardest form to spam is that which requires manual authentication such as captchas. Or those where you have to reply to an email, click on a link in it; though that can be automated too. Those where you have to register and click on links, they're hard as well. And if you change the folder names where things usually reside, that's a challenge, because you just gather lists of installations' folder names."
For Sam, every day brings more challenges. Not just from the angry bloggers; nor only from the search engines coming up with new algorithms and HTTP tags. There's all the other link spammers too. "It's like a 1500-metre race. You get a little bit ahead but then the others catch up," says Sam. But he's confident he'll stay in what is primly called the "search engine optimisation" business for a while yet.
Why? Because the demand exists. "The reality is that people purchase Viagra, they require porn, they gamble online. When people do that, there's money being made." And if this sounds suspiciously like an "ends justify means" argument to you - it does to us too. But Sam doesn't mind. He's just adding a few thousand more blogs to his list and readying the next spam run. Nothing personal. ®