Inside Craigslist's Increasingly Complicated Battle Against Spammers
from the spam-fight dept
John Nagle writes in with a fascinating dissection of the ongoing battle between Craigslist and spammers. The back and forth nature of this battle is fascinating — and somewhat disturbing when you realize the lengths to which spammers will go to get spam onto Craigslist, and the extent to which an entire ecosystem of scammers and software providers seems to have been built up around this effort:
“Spam on Craigslist has been a minor nuisance for years. Not any more. This year, the spammers started winning and are taking over Craigslist. Here’s how they did it. Craigslist tries to stop spamming by checking for duplicate submissions. They check for excessive posts from a single IP address. They require users to register with a valid E-mail address. They added a CAPTCHA to stop automated posting tools. And users can flag postings they recognize as spam.
Several commercial products are now available to overcome those little obstacles to bulk posting. A tool called CL Auto Posting Tool is one such product. It not only posts to Craigslist automatically, it has built-in strategies to overcome each Craigslist anti-spam mechanism.
Random text is added to each spam message to fool Craigslist’s duplicate message detector. IP proxy sites are used to post from a wide range of IP addresses. E-mail addresses for reply are Gmail accounts conveniently created by Jiffy Gmail Creator (“Who Else Wants to Create Unlimited Gmail Accounts in Seconds Flat Without Breaking a Sweat?”) An OCR system reads the obscured text in the CAPTCHA. Automatic monitoring detects when a posting has been flagged as spam and reposts it.
CL Auto Poster isn’t the only such tool. Other desktop software products are AdBomber and Ad Master. For spammers preferring a service-oriented approach, there’s ItsYourPost.
With these power tools, the defenses of Craigslist have been overrun. Some categories on Craigslist have become over 90% spam. The personals sections were the first to go, then the services categories, and more recently, the job postings.
Craigslist is fighting back. Its latest gimmick is phone verification. Posting in some categories now requires a callback phone call, with a password sent to the user either by voice or as an SMS message. Only one account is allowed per phone number. Spammers reacted by using VoIP numbers. Craigslist blocked those. Spammers tried using number-portability services like Grand Central and Tossable Digits. Craigslist blocked those. Spammers tried using their own free ringtone sites to get many users to accept the Craigslist verification call, then type in the password from the voice message. Craigslist hasn’t countered that trick yet.
It’s not clear yet who will win. Craigslist may find something that works. If it doesn’t, however, it could be toast for the success story of Craigslist.”