Why do Spammers do this?

This isn’t a metaphysical question about good and evil. I’m really trying to understand what the motivation or payoff is.

Over the last week or so I have been experimenting with BuddyPress as a way of adding social networking features to SMUG. I’ve been impressed with the functionality. Now that I’ve learned some of what I was seeking to discover through the experiment, I have reverted back to the previous theme and disabled BuddyPress.

One of the settings I enabled in BuddyPress allowed visitors to sign up for an account here. They just had to fill out a form, like this (click any of the images to enlarge):

And then they would see a message which said they would be getting an email message with a link to confirm their registration:

When they clicked the link in the email, they would return to the site and see this confirmation:

Today I got a message from a helpful SMUGgle, Michelle Murray, who said she had gotten an “internal server error” message when trying to visit a curriculum post…and that the problem had happened a few times. So I decided to investigate. To cut to the chase, here’s what I discovered:

A whole bunch of new “users” whose names were eerily similar. The extent of the problem is shown in this closeup of the user totals, which you don’t need to click to see clearly:

After I had deleted 50 of them, here is the closeup of the user type breakdown:

In other words, my blog had essentially been the target of a Denial of Service attack by a spam bot creating nearly 6,400 accounts.

As I examined one of the profiles, it seemed odd that the person behind the spam would try this, because it wasn’t immediately apparent what benefit they would derive. Here’s an example of what they had entered for each fake user:

And when you look at the tail end of the Website field, it is just the link to the member profile on SMUG, not some other Web page they wanted to give Google juice.

It seems that the goal is to somehow help a site devoted to offering six-pack abs to its customers (clearly something I could use), but it isn’t (or wasn’t) clear to me how this spamming strategy would drive traffic to that site. Other spam email domains pointed to searsuckersuit, realestatequicksolutions and comfortersonsalenow, all with .coms appended.

On further reflection, it seems perhaps one way this scheme could work would be if the spammer accounts could be used to bypass the Akismet comment filtering. In that way they could include links back to their sites within comments.

Or maybe if my default for new users was to make them Authors instead of Subscribers, it would give the spammers a chance to create new posts with lots of links to their sites:

What do you think? Based on what you see above, what would be the benefit to spammers in creating 6,000+ accounts on a site, without any links back other than in the user email domain, which isn’t published?

Was this just a first step in a plan to eventually unleash a torrent of new posts or comments?

By the way, for the time being I have turned comment moderation on, so I’m not just relying on Akismet. So when you share your thoughts, it may take a little bit for me to moderate and approve the comment.

Meanwhile, does anyone have a recommendation for mass deleting 6,300 spam subscribers in WordPress?

Otherwise, it looks like I’ll be selecting 50 at a click and deleting about 126 times. Should be an hour or so of mindless fun.

Be Sociable, Share!

Author: Lee Aase

Married father of six and grandfather of nine, and the Chancellor of SMUG - Social Media University, Global. By day I'm the Director of the Mayo Clinic Social Media Network. Whatever I say here is my personal opinion, and doesn't reflect the positions of my employer.

5 thoughts on “Why do Spammers do this?”

  1. I just use captcha for my most of my WordPress sites. But I have noticed the same problem on my Drupal sites where captcha has not been installed yet.

  2. This was most likely not a spammer… but an automated bot working on behalf of a spammer looking for a server to hack (to relay mail through). Possibly, it was even relaying email each time this bot completed your form depending on the known vulnerabilities for BuddyPress. This happens all the time, and is the reason you’ll want to implement CAPTCHA or some other method (we have several) to stop automated bots from filling out your forms.

    Lyle can probably give you a hint on how to remove all the users from the database or can write a query to do so.

  3. In trying to work out how to best use Buddy Press as a forum and leave most of our site public without leaving the forum public I turned to SMUG University. Glad I read this post. I think I will delete Buddy Press and try Simple Press instead and add the CAPTCA feature.

    Also glad that I wasn’t the only one to get frustrated with Buddy Press. The alternate setup is not easy to configure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.