Latest on twitter:

July 29 2009

How to Spam Twitter in 3 Easy Steps (or, The Death of Twitter)

Despite the fleeting “spammers perish” event a few days ago, my Twitter profile is still overrun by spammy followers. This is really bugging me. I’ve been forced to switch notifications off, and my stop_jackin_it.php script isn’t working because the /blocks/create API method is broken. This will be the downfall of Twitter if it isn’t contained.

So you want to be a spammer too?

I’m going to explain how I would replicate this attack in an attempt to move this conversation forward. I’ve spent way too much time thinking about this and writing this article, considering I don’t get a dime from Twitter. It’s my user loyalty that has me putting this time in, but that won’t last too much longer.

Anyway, here’s how I would reproduce what’s going on:

  1. Create a bunch of fake accounts and have them follow each other so they look credible. About 200-300 followers should do the trick. Twitter has a captcha in place, so the signup process will require human eyes, but you should be able to handle this by having just a handful of people create 10-20 accounts a day. If you’re a gung-ho spammer, you could also come up with a crowd-sourcing scheme to get the job done.
  2. Scrape tweets from the public timeline into a database. Keep track of when each tweet was created though — you’ll want to wait at least 3 weeks before replaying so the source tweet is expunged from Twitter’s search index.
  3. Once you’ve held onto a tweet for 3 weeks, have about half-a-dozen of your spam soldiers replay this tweet. Have one or two of them include a link to your porn site, minified by, say, xurl [dot] jp. Here are some examples.

That’s it!

What is Twitter doing about this?

Twitter doesn’t seem to be doing much about this. I lost some followers to “spammers perish,” but they were quickly replaced by many more. If Twitter wants to beat this, I suggest they do one of the following:

  1. Fix the API! Goodness gracious, why doesn’t /blocks/create work yet? An ambitious developer could get a really nice spam blocking SaaS up and running pretty easily if this method actually worked.
  2. Delete these accounts for us. This ongoing attack is using xurl [dot] jp exclusively, for some reason, so this should be pretty easy. You could even take advantage of shortening service’s API to confirm abuse.
  3. Hire me to do it.

I hope this can be resolved soon. I’m losing interest in Twitter by the day.