Sunday, March 18. 2007
I logged in to MySpace today to see the list of spambots that sent me friend requests and came across a particularly interesting one: Jake.
Apparently, Jake is from "A Small Town, Illinois, United States," he's gay, single, and someday looking for children. Nothing too surprising. His profile pictures are of "him" playing football. Anyway, a quick skim of his profile quickly drew my eye to a Paypal "Make a Donation" button, so I read the profile just out of curiosity. It's quite a smart scam-- you bot through a bunch of gay people with the profile of a gay, young, teenage, cute kid with a sob story. Some of the highlights:
- Mom and dad are divorced.
- Mom's on disability
- He works part time.
- Deadbeat dad.
- Can't afford college loans/grants (ya right)
- Has a younger brother, and mom needs to support him too.
- Would switch states to go to college so he can send money back to mom
- In special education
- Volunteers at a hospital (wow, plus going to school and working to support your mom?)
- Only has five pairs of underwear
- Some dress pants
- Some jeans
- Some dress shirts
- Has faith
- Wants to be a teacher
Wow, he's poor, goes to high school, is in special education, works a part time job, plays football, and volunteers at a hospital. Wonder when he finds time to log in to myspace or pay for his internet connection. It takes a lot of courage to want to completely leave your entire family behind (all of whom you're supporting--excepting your father) to go to school in a state a thousand miles away. Guess I should make a donation, right? Heh :P
+2 points for creativity, though. Not that bad for a scammer... he should have toned it down a bit, but as Hitler said, people are more likely to believe the really big lies than the modest ones.
By the way, for those who want to spot spam/scam profiles in the future:
(continued)- Look for high user ids. High user ids mean the user has recently registered. MySpace's ids are sequential, as well. Check the address bar and you'll find a string like "friendid=169553349" in the url. That means that his account is the 169,553,349th INSERT to MySpace's database. This is relatively high and if you stick it into a growth formula, it means he probably registered within the last month or so. My profile ID is 4,168,972, and I registered a few years ago. High IDs generally mean spammers, whereas if a lowid has been able to survive for this long, it's probably someone real.
- Content of comments. If their friends comment with non-personal comments, then be wary. Lots of "thanks for the add"s are suspicious, whereas a lot of "dude, you were so drunk last night"s probably mean real people.
- Friend locus. Usually, people's top friends/most active friends tend to be from one or two primary locations. That is, most of the time, friends will come from only one or two cities or states, as friends lists tend to mimic real-life relationships. The exceptions to this are the internet diva-types, who only select top friends/friends in general from the hottest/smartest/sexiest/whatever-est people they find. Of course, their profiles tend to be more wild anyway. Also check for friend reciprocation. If the people on the top list don't reciprocate the top friendship, it's another yellow flag.
- Heterogeny of pictures. If the pictures of a person could have all been taken at one time (ex, "Jake" playing football), be wary. It's a little harder for fakers to locate widely varying pictures of the exact same person (much less alone) and upload them accordingly.
- Picture nature. Blurry pictures, or thumbnail-sized full versions are big red flags. The former is used to fix the heterogeny problem, whereas the latter is sloppiness from right click saving pictures on other profiles.
- Friend content. Most people don't add 50 year olds to their friends list alongside 19 year olds. There are exceptions (ie, if someone's a family member/co-worker), but it's less likely.
- Comment frequency. Spambots tend to get a bunch of "thanks for the add" comments in a short period of time, while not giving any back.
- Incomplete profiles. Misbalanced profiles, for example weighting everything to the about me/like to meet blocks, is pretty suspicious. Most legitimate people also include stuff in their interests block (eg, movies, books, heroes, etc).
- No blogs. A lot of people simply don't use the blog feature, but those that do are generally legit.
- Donation button. Definitely a recent addition :P Though, normally, I've seen from legitimate users offers for exchanges of tangible goods, normally worn by them to advertise it. The most frequent that real people use is a t-shirt from a shake-n-bake t-shirt site. It's a red flag, however, if they have less than a thousand friends, as most people who think they can make money off their profiles have thousands of friends who religiously visit their profile.
- Headline/name trends. People who have off-the-wall names (such as "Yer Dumb" and "!*!HOTBOI!*!" are more likely to be real than people with really common names like "Jake," "Britney," and "Jessica." Granted, I hate the off-the-wall names, but whatever. :P
- Seductive primary pictures. Think about how you'd make a face at the camera if you were a porn star selling the cover of a porno. That's the type of picture I'm talking about. Most of the time, these are spammers, and they recycle the same photo across their spam bot legs.
- Lots of links to only one place. Normally these are promos for a porn site of sorts or simply an account phishing site. Most real people only have a small handful of links in their profiles, and normally if they have more, they're to Alexa-ranked sites that have medium to high traffic (such as YouTube).
- Image hotlink source. Image hotlinks (that is, adding img html tags that reference a site elsewhere) normally come from well-known image hosting sites, such as imageshack.us or photobucket if the user is legit. Spam bots normally do not use these services, as the influx of requests to the images they upload throw red flags and get the image yanked.
- Image fingerprints. This is more of an automated check against pictures, but you can load up a particular image, decompress it, and check areas for certain traits. For example, large, high quality pictures are more likely to be legit, as they suggest the user uploaded it directly from his camera. Airbrush signatures within a textured field (ie, minutely detextured areas) also suggest legit users who have altered their picture to make themselves look hotter/more fashionable. Black/white pictures that match a living-subject portrait fingerprint (ie, someone who's taking a black/white picture of themselves) are also more legit, as spambots tend to use full-color pictures. Black/white with ranged highlights (e.g., black and white except for a red hat) also tend to be more legit, but mainly in the context of larger friend bases. Reposted images match fingerprints of other users' uploaded images, and are highly suspicious. After all, if one person uploads a picture of himself, then a 3 months down the road, another profile uploads that same picture, the second, more newer profile is most likely fake.
This list is far from complete, and there's a lot more technical factors, but they're less easy to explain unless you know what things like cyclic hashes, jpeg compression, and regexes mean. Also, no one factor can predict whether a profile is spam/fake; instead, they should be viewed as a whole using a heuristic, weighted system. That is, someone who, say, uploads an image that's already been uploaded could just as easily by another person in the picture who said, "oh, lol, that was a great pic of us, I should put it on my profile as well." However, someone who uploads pictures already uploaded, then also copies over paragraph blocks from other profiles and makes tons of off-site links and has a high user id, the factors taken together would suggest a greater chance of it being a spam/fake profile.
If you're interested, I'm working on a collection of scripts for analyzing given profiles to determine certain things about them (including the chance of them being spam/dangerous/pedo/psycho). If you're interested in helping out, drop me a line.
Cheers.
|
