Anticipating RSS Spam

by Marc Hedlund

We've seen Usenet spam, email spam, search engine spam, IM spam, and Weblog comment spam -- how long will it take before we see RSS spam?

My RSS aggregator looks for new items and lets me know when a new item appears on a feed I read. It's easy to imagine a very malicious feed that would just always make its entries appear "new" -- change them subtly, report that they were just written, or whatever -- so that its items would always show up in my aggregator -- but I'd just unsubscribe. This "Fake New Item" approach could be used more subtly, though, such that I'd be less likely to unsubscribe. Let's say a news site wants to include an advertising entry amongst its news entries -- they could set it up, say, so that the ad shows up as new four times a day.

The Fake New Item approach could be used more easily with superaggregators, sites that bring together many RSS feeds and republish them as an aggregate. Centralized distribution means centralized response, but if a simple feeder wants to show its articles as new (slightly changed) twice a day, that might be hard to detect.

My aggregator currently displays HTML and follows redirects. An RSS Web Bug is already completely feasible -- want to know how many people are really reading your feed? I haven't seen a pop-up ad out of a feed, yet, but that doesn't seem far off -- if the pop-up goes to the background, which feed produced it? (There are other types of attacks possible, too, if RSS readers become more like full browsers.)

Those are a few I thought of. Anyone have other ideas? More importantly, since this is still a young format, is there anything that should change now to stem whatever ideas we think will occur to the spammers a month or a year from now?


2004-03-24 02:37:31
only one thing will stop spammers
and that's a negative business incentive.
In other words, as long as it's less costly to spam than the probable income (however low, remember email spam is profitable from as few as one in a hundred thousand responses!) they'll continue to spam.

The only way I see to stem the flow is to incur a cost to sending traffic.
In the case of email it may be too late, and maybe for RSS also by now however yound it is.
Some sort of mechanism would have to be found by which the sender pays the receiver for each sent item. When the receiver is also a sender himself it could be set up so that the ballance is automatically calculated in order to prevent a huge number of microtransactions (this seems the most likely thing that could possibly work for email if enough ISPs cooperate).
Non-paid feeds would still be available, but use at your own risk.
If the sender pays that does several things:
1) it makes him more likely to vigorously check his systems for exploits that spammers could use to spam through him
2) it makes him think twice about spamming himself
3) it makes him think twice about posting trivialities.

All would reduce the amount of garbage sent.

2004-03-24 03:36:27
Report abuse
For aggregator services, you can report abuse to them. They can blacklist those feeds that exhibit this kind of spam behaviour.
2004-03-24 11:21:48
Safeguards against Blog Spam
For my blog aggregator display, I use RegEx to strip HTML tags out of the text from blogs before they are displayed to avoid scripting.

I also have a http referer display where I show which pages linked to my blog. I find that very often the referer was a link to a p0rn site or some other mass marketing site. I maintain a list of these unwanted referers (which actually have no link or other association to my blog), and then filter the referers through the list before displaying them.

Steven Erat

2004-03-24 16:05:25
Branded XML Readers
I have found that a lot of marketers are getting fed up with declining open and click rates with their opt-in email newsletters, and are now turning to RSS or Atom feeds for a solution.

I recently have developed a branded XML reader which allows publishers to preload feeds and even brand my reader as their own. I have had lots of interest already...

I think that quality B2B websites appreciate the need to guarantee that their content gets through to viewers who want to receive it, and XML is one of the only ways left to guarantee content delivery, assuming a live Net connection.

2004-03-25 07:06:45
Different than ads on mailing lists?
How is this significantly different from ads on a one-to-many mailing list?

I am on a bunch of mailing lists where all the posts come from one person distributing links, articles of interest, etc.

If that person injected enough ads into the message stream to be annoying, I would unsubscribe from the list.

Same thing with an ad-infested RSS feed. If it becomes annoying, you don't read the feed anymore.

2004-03-25 21:55:03
I don't get it
With RSS feeds, content doesn't come to me unless I explicit have it fetched by subscribing to a feed. But unlike Usenet, I don't subscribe to a public forum; content comes from a single author, or a fixed group of them.

I don't really see why webbugs would be much of a concern, either. Webbugged mail comes to its recipient unrequested; webbugged feeds are explicitly polled by the reader. There isn't much to gain from webbugs beyond the information you already have.

Sure, the content might come with ads. That's about as far as things can go.

2004-03-26 13:03:03
glad to see someone else thinking about this.
The threat model here is pretty trivial to figure out. I expect spammers are already working on tools. I've been thinking about the problem for a little while as well:

Unfortunantly, it doesn't look like anyone is listening.

2004-03-26 13:07:02
glad to see someone else thinking about this.
Great references, thanks for posting them. You've got better examples than the ones I imagined.