Tag Archives: spam

abuse Blog blogging comment spam compliment spam Google how-to PageRank plugin scam security SEO social software spyware trust Twitter web-development webspam WordPress

How spam and malware botnets work – two papers

Blog, , , , , ,

I read two reports today about large-scale botnets that really pointed out that security is still an open problem on the web. Recently, researchers got access to a nasty botnet, Torpig (original paper: Your Botnet is My Botnet: Analysis of a Botnet Takeover). A few months earlier researchers hijacked the Storm Worm and looked at its profitability (original paper: Spamalytics: An Empirical Analysis of Spam Marketing Conversion). Both papers are fascinating, but terrifying reads.

Some findings:

  • In 10 days, a botnet running on 160,000 machines stole credentials for over 8,000 bank accounts.
  • About 1 in 10 people who open a spam email click through to get infected by the malware.
  • 350 million spam emails resulted in only 28 sales, but the average purchase was $100.

How do these botnets get control of machines? How do they make money? Whether it’s a spammer who needs to get someone to make a purchase on a website or a scammer stealing credit card numbers, passwords, and other information, ultimately you need to get someone to a bad website. Think about all the paths you might take to different sites during the day:

  • Via a web search
  • Clicking on a link in an email
  • Going directly to a favorite site
  • Clicking through an ad

Spammers and scammers try to take advantage of all of those methods, and given the huge volumes of machines at their disposal, it’s a wonder search engines, spam filters, and advertising systems protect users as well as they do now. Between the first and third bullet point above, there’s a huge motivation to hack otherwise good sites to inject drive-by download malware – it can happen to anyone.

So what can we do about it? I think it ultimately comes down to a combination of smarter automated methods, better ways to establish trustworthiness, and removing the economic incentives for spamming, identity theft, and hacking. I have a few posts in mind about some current tools that help with the trust issue and how we might be able to build a social web of trust.

This isn’t a new discussion, Tim Berners-Lee has been writing about the web of trust since the 1990s. But all the work done since then has yet to really solve these problems. And really, so long as a few people are willing to click on a malware link or buy drugs via a spam email, it will never stop.

Thoughts on Blog Usability

Blog, Usability, , , , , , , , , ,

DSC_0723 I’ve been kicking around the idea of redesigning my homepage and blog, though I’m not sure I really have the free time to do it. To start, I thought I would to put down a few thoughts about applying usability principles when designing blogs.

When you starting thinking about usability it’s temping to jump right into lists of principles and rules of thumb. It’s a little silly applying Fitt’s Law when you haven’t even established what you want your site to accomplish in the first place. So what, generally, do you want your blog to do?

Personal Goals

  • Share thoughts and work with others
  • Collect a body of work to represent myself (like a portfolio)
  • Collect information for later discovery (by myself and others)
  • Provide an outlet to continue practice writing
  • Allow others to communicate with me and comment

If you’re creating or redesigning a blog for a company, the goal set may be very different. Below are some examples that don’t actually apply in my case.

Business goals

  • Communicate with customers
  • Build long term relationships with customers
  • Produce quality content to drive search traffic
  • Generate revenue through advertising
  • Etc.

Many projects don’t even get this far before the graphic designers and web developers are already making mock-ups, but we still have one more important step to do. We know why you’re building a blog, but why are users coming to it?

Continue reading

Twitter user directories – Wefollow vs. Justtweetit vs. Twellow

Blog, , , , ,

I happened to notice Brian’s tweet that he is officially the sole authority on burritos in Twitter, at least according to Wefollow, a Twitter user directory.

Twitter is the only major service I can think of where sites have popped up to provide a function so basic as user directories. This is due in part to their great API, but also because they don’t provide any real functionality on their site. You can search for users individually and import your contacts, but the suggested user page seems uselessly weighted toward the most popular people on the entire site.

Who should I follow if I’m interested in usability or cartography or legume horticulture? I took a look at a few directories, which follow slightly different models:

justtweetit.com
– Has a list of predefined categories
– Each user can only be in one category
– Users are self submitted

wefollow.com
– Users can be tagged by any word or phrase, though the most popular show up as main categories on the home page
– Each user can use up to three tags
– Users are self submitted

twellow.com
– Has predefined categories, a large list that looks similar to Open Directory.
– Each user can be in up to 10 categories
– Seems to pick up users automatically, but users can add themselves to additional categories

My guess is the more specific the categories, the more useful the organization system will be. Wefollow gets points here for allowing open tagging but the front page, with such broad categories, isn’t as useful as the search or drill down pages. Twellow actually works pretty well, since the built-in category list is so extensive.

All three seem like they might be a bit open to abuse, since users can add themselves to the directory – with Twellow and Wefollow, at least they have to be logged in to their account to do so. But if I were a spammer and had found some way to use Twitter for spam, I could quickly add my spam accounts to these sites as well.

It would be really interesting to see a measure of quality other than just the number of followers. For example, if I say I’m in the haberdashery business, the system could check to see how often haberdashery shows up in my tweets – that could be a quality score for the classification, used in concert with number of followers, which is a proxy measure for the quality of my account.

Has anyone else used these directories, or others? Would you follow someone just because they’re the most popular person listed in your area of interest? Let me know in the comments below.