Kris Wallsmith

Symfony Guru at opensky.com.
Discussing web development, Symfony and fatherhood.

Posts tagged twitter

Jul 29

How to Spam Twitter in 3 Easy Steps (or, The Death of Twitter)

Despite the fleeting “spammers perish” event a few days ago, my Twitter profile is still overrun by spammy followers. This is really bugging me. I’ve been forced to switch notifications off, and my stop_jackin_it.php script isn’t working because the /blocks/create API method is broken. This will be the downfall of Twitter if it isn’t contained.

So you want to be a spammer too?

I’m going to explain how I would replicate this attack in an attempt to move this conversation forward. I’ve spent way too much time thinking about this and writing this article, considering I don’t get a dime from Twitter. It’s my user loyalty that has me putting this time in, but that won’t last too much longer.

Anyway, here’s how I would reproduce what’s going on:

  1. Create a bunch of fake accounts and have them follow each other so they look credible. About 200-300 followers should do the trick. Twitter has a captcha in place, so the signup process will require human eyes, but you should be able to handle this by having just a handful of people create 10-20 accounts a day. If you’re a gung-ho spammer, you could also come up with a crowd-sourcing scheme to get the job done.
  2. Scrape tweets from the public timeline into a database. Keep track of when each tweet was created though — you’ll want to wait at least 3 weeks before replaying so the source tweet is expunged from Twitter’s search index.
  3. Once you’ve held onto a tweet for 3 weeks, have about half-a-dozen of your spam soldiers replay this tweet. Have one or two of them include a link to your porn site, minified by, say, xurl [dot] jp. Here are some examples.

That’s it!

What is Twitter doing about this?

Twitter doesn’t seem to be doing much about this. I lost some followers to “spammers perish,” but they were quickly replaced by many more. If Twitter wants to beat this, I suggest they do one of the following:

  1. Fix the API! Goodness gracious, why doesn’t /blocks/create work yet? An ambitious developer could get a really nice spam blocking SaaS up and running pretty easily if this method actually worked.
  2. Delete these accounts for us. This ongoing attack is using xurl [dot] jp exclusively, for some reason, so this should be pretty easy. You could even take advantage of shortening service’s API to confirm abuse.
  3. Hire me to do it.

I hope this can be resolved soon. I’m losing interest in Twitter by the day.

Posted at 11:27 AM Tagged: twitter

Jul 20

stop_jackin_it.php

I’ve been getting inundated by followers who appear to be normal people with a healthy number of followers, but have links to xurl.jp spiced throughout their timeline which resolve to… wait for it… porn.

I’m sick of it. So I did something about it. I cronned this script on my computer and you should to. It will run a search for the string xurl.jp and block anyone posting links to this site. It will only deal with this particular spammer, but it’s better than doing this manually.

The best part about it is the blocks.create method isn’t rate-limited. Thanks Twitter!

Hopefully you won’t lose too many followers! I think I lost about 10…

Important!

Please don’t include the text xurl.jp in any tweets about this post, or my script will block you too!

Posted at 6:41 AM Tagged: twitter