Monday, July 27, 2009

Spam is getting stranger and stranger

I received the following message via IM spam: 

"The world of Mexican midget wrestling is in mourning after two of its most famous stars were apparently poisoned by fake prostitutes." 

This sounds like a randomly chosen headline, but I wonder what reason the spammer has to send a message without any link or other ad type content. 

The headline is an actual story.

Saturday, July 25, 2009

Making the case for shared authorization in twitter

Currently there are a few methods available to authenticate users on 3rd party sites via twitter, I'd like to make a strong case for two of these.

  • The simplest solution is for a 3rd party site to ask for your twitter username and password so that they can access the account via the twitter API and do whatever is necessary, e.g. post messages on your behalf. This will work until you change your password.
  • The second solution is to ask for the username only, have you follow them and send you a DM with a secret token that you can enter on their web page. This is a rather smart solution if the site has to check that you are actually who you claim to be, but the site doesn't get access to the account via the twitter API and cannot post messages or change settings. For sites that gather statistics this may be sufficient nonetheless.
  • The third solution is to redirect the page to a twitter API URL that then asks you to log in and gives the site feedback that the account has logged in. This means that the site cannot keep your credentials and e.g. post messages, but it can access data from your account after the login. Due to the way a browser caches login/passwords, you cannot logout unless you close your browser. However it may be possible to logout by redirecting to a logout URL (I haven't checked if that works with twitter)
  • The fourth solution is to OAuth, this basically means that the 3rd party site sends a challenge to which returns with a authentication reply after it has asked you if you want to allow the 3rd party site to access your account after you have logged in. This means that the site can access your account and even post messages with knowing the password, since the site can keep the authentication token even after you have logged out. When you do not want a service to access your account anymore, you can block the application in the twitter settings. However most sites drop the authentication when their session expires, so you will be asked the next time for confirmation again.

Depending on what services a site offers, the choice of each of the methods makes sense, I would prefer sites that do not require the user to disclose the account password, however some very prominent sites currently do (e.g.

When using a 3rd party site that asks you for your password, you have one important issue: if you are using a tool for phishing protection like pwdhash, the password will not be the same on the alternate site, so you have to calculate the pw hash in advance and enter it manually, the same would work with OAuth since the password is only entered on the actual site.

Spam accounts are getting more difficult to spot

It seems that Spam accounts have adopted a new way to appear valid, (or I just noticed that, maybe it's not that new), by copying valid tweets from different users before sending the usual "here are my naked pictures".

Take a look at one example:


Click to view my naked profile
less than 20 seconds ago from web

@onlymehdi He is not alone, God is there, keeping him strong, his heart is full and our love/prayers sent to nourish him. #iranelection
half a minute ago from web

Follow Friday! @DavidArchie, @ddlovato, @Shontelle_Layne, @ muckytown @TheRealJordin, @TheDannyNoriega! :D
less than a minute ago from web

RT @TheTorchTheatre: Sunday! @bookmans sponsors The Improvised Bookclub! This month: Harry Potter & The 1/2 Blood Prince! @Space55, 7pm!
1 minute ago from web 

The most recent tweet contains a spam link, the other ones are copies from tweets a few hours ago, since the user starts mass following before the spam tweet is posted, you will not recognize that immediately.

Thursday, July 23, 2009

Follow services may be even worse than they appear

As you may have noticed from a previous post, I am not a fan of follow services, however it turns out that the services may be even worse than they claim to be.

The current approach of the services requires each user to enter their username and password, so that the service can use each user to post adverts (thinly disguised as praise, just use twitter search to find the identical copies a the posts). This raises some questions about the security of the sites, since nobody knows what the account will be used for.

As a test run, I have created a new account and registered it with the different follow services to check if this actually yields results and how much spam is posted (I will write a more elaborate summary of how it actually worked, until now it is not looking good).

One very odd thing happened during my tests, the account password was changed twice and the email address has received a series of password reset mails, so either an automation script is calling the wrong page or somebody is trying to compromise the account when the password is no longer working.

I will try to investigate which site is abusing the account and changing the password. At any rate, this means that the services cannot be trusted.

Saturday, July 18, 2009

"Follower services" to stay clear of

You will occasionally see tweets recommending services that promise a lot of followers by joining and then following the users that are listed on that site. This may seem like a good idea at first, but please consider the following caveats.
  • First of all, you are giving the service your twitter username and password and are giving them permission to send advertisement tweets as long as you are member of the service
  • To comply to the rules of the respective site, you have to follow everbody which will leave you with a lot of "marketing" accounts that probably want to spam you even further
  • You will probably follow considerably more users than you receive followers, regardless of what the site claims
  • The followers you get are not topical interested in you, they are just following you due to fact that they joined the same site
  • If you want to buy the "VIP" membership of such a site, keep in mind that the services may be rather short-lived and you probably not get any refund when the site goes down (see sample list below)
In all, I would suggest not joining any of the sites, if you already have joined, cancel your membership and change your password (if you cannot cancel your membership, just change the password and complain to about the abuse).
Sites operating with the same concept include the following (some of these sites are exact copies of each other with exchanged service names):
Feel free to visit any of the sites, I just wouldn't suggest them.

There are also quite a few more domains that forward to one of the services via an affiliate link, so if you end up at a domain from the list above with an added referral id, the same caveat applies, obviously.
The reason behind this is obvious, the services want to avoid becoming blacklisted.
(Updated 07/25/09)

Friday, July 10, 2009

New statistics

statistics from lets see how this works out.

Also I have set up a account.

Saturday, July 4, 2009

Getting your invite Link on

It seems that currently your own invite link isn't shown on the site, here is my short solution to figure out your own link:

Send an invite to one of your followers from the page "Recruit", then go to, click on "Direct Messages" and on "Sent". You should see a message to your follower containing a URL, this is your invite link.

Friday, July 3, 2009

kill file feature similar to newsreaders for twitter

There are usually a few tweets by given users that I want to ignore without unfollowing the user, it would be very useful to be able to ignore tweets based on substring patterns or regexp, either for a given user or for all users.

The same could be useful for highlighting certain tweets.

This could be either implemented on the service itself (webpage and api) or it could be implemented in the 3rd party applications, e.g. Tweetdeck

I have proposed this on getsatisfaction/twitter and on

let's how this turns out