In the face of unrelenting spam-and-scam attacks of the computer/electronic classifieds in super metro areas like New York and San Francisco, what does Craigslist have up its sleeve to combat these virulent onslaughts?
We here at Cyberaxis first broached this story after we noticed an unrelenting campaign of spam flooding the New York and San Francisco classifieds from China. The spammers were posting with impunity bordering on contempt. (We first noticed this around February of 2009, but it is highly probable that they started much earlier. Craigslist has not responded to our queries.) The spammers’ prodigious output was swamping the computers and electronics classifieds and affecting Craigslist users’ ability to find local items for sale. If nothing happens in the next couple of months the San Francisco computers and electronics classifieds section might just go down like the New York one – the micro-equivalent of the parasite killing the host. (See the “Update” appendix at the end of this post.)
The big question: Now if spam-and-scam artists can hit Craigslist at will like this, what is there to stop Craigslist haters (or their operatives) from hitting it across the board with nonsense postings just to undermine its free ads platform as a means of promoting their own schemes? Think of the Craigslist user in San Francisco, Los Angeles, New York, Chicago and Atlanta. Where do they go right now if they want to browse or post in the computers and or electronics section? Get the point?
Updated list of other U.S. Craigslist Sites that are increasingly being hit: (As of 05/12/09)
Major Warning to Craigslist Users: Now it turns out that this spam is most probably linked to an unsophisticated but effective wire scam, if a post out of the Miami Dade ads computers & tech section is anything to go by.
Please see a copy of the post and vital anti-scam information here:
Do people who send money to unknown businesses when the conspicuous warning on Craigslist is clearly against that deserve to be scammed? The answer is yes with a qualified no. With very minimal exceptions, people should not be sending their hard earned money to strangers even on a websites as well known as eBay.
The Chinese spammers on Craigslist have been using location blurbs like “Come on baby ….. Shengcunyishangshenghuoyixia” or “Beijing, Beijing” (a sardonic play on New York, N.Y.) in an apparent attempt to taunt Craigslist flaggers and moderators. Spam is nothing new to Craigslist, but this recent onslaught seems to be unrelenting in a way that raises a lot of questions.
Could these barrages be probes by tech emboldened bandits to test the integrity of Craigslist’s anti-spam system? Could they be trying to see how the automated and human assisted controls (flagging and moderation) can withstand unrelenting attacks. Could Los Angeles, Dallas, and Washington D.C. be next? The current attacks seem to go beyond simple attempts to con people out of their money. The brazenness seems to speak to a certain desire to prove something to Craigslist.
The Craigslist’s flagging system often seems overwhelmed and while the IT department has quite a few tools in its toolbox, like lowering the flagging threshold, it doesn’t seem to be commensurately effective against the spam in question. The ace up the attackers’ sleeve seems to be the newer software designed to game or bypass Craigslist controls. Craigslist’s ultimate threat of blocking IP addresses of spammers and or hackers doesn’t seem to even come close to fazing these guys.
Charging for posts in computers, as some have suggested would have the salutary effect it has had in real estate, employment and more recently the erotic section, but as a more global strategy, it would threaten the very attribute that has distinguished Craigslist from its competitors, namely, free advertising.
The influx of spam from off-shore operatives also threatens the local focus of Craigslist websites which are really independent location-based sites linked by a sub-domain. The mantra to “deal locally with folks you can meet in person” has, for the most part, served Craigslist well and minimized the scams that have wracked eBay over the years.
The law of unintended consequences: Even before the closure of the much maligned Erotic Services, there had been a glaring irony in all of this. In November of 2008, Craigslist had caved into pressure from law enforcement and associated groups by instituting a screening process which required credit card and telephone number verification, not to mention the then new $5 per post charge. The concession was meant to help police in their investigation of illegal activities like the exploitation of minors.
However the unintended effect of this that it immunized the Erotic Services section from eggregious spam while the more up-and-up electronic and computer classifieds were left to fend for themselves. None of the religious-cum-law-and-order types had seen this coming.
Evolution of the Beast: The technology to defeat Craigslist’s controls have been evolving faster than Craigslist’s ability to deal with it. But the problem goes beyond Craigslist, which is a bit downstream when compared with web and e-mail giants like Yahoo, Google and MSN and Hotmail. The collapse of CAPTCHA sometime early in 2008 did not bode well even for downstream operations like Craigslist which relies on CAPTCHA derived controls to distinguish human posters from automated or bot posters. Be that as it may, conspiracy theorists have already started speculating about who may be behind the more recent onslaught against Craigslist, which certainly does not have a shortage of enemies, within and without, if you get my drift.
The Tech World article by Steven J. Nichols-Vaughn (Computerworld U.S. ) zeroes in on this problem:
“It’s not just free email sites that can be made to suffer, though.
John Nagle, founder of SiteTruth, a site that tries to identify bogus businesses and their websites, wrote in late May on Techdirt that while spam on the popular online classified ad service Craigslist “has been a minor nuisance for years … this year, the spammers started winning and are taking over.”
Craigslist tried “to stop spamming by checking for duplicate submissions,” Nagle explained. “They check for excessive posts from a single IP address. They require users to register with a valid email address. They added a CAPTCHA to stop automated posting tools. And users can flag postings they recognise as spam.”
According to Nagle, waxing sarcastic, “Several commercial products are now available to overcome those little obstacles to bulk posting. A tool called CL Auto Posting Tool is one such product. It not only posts to Craigslist automatically, it has built-in strategies to overcome each Craigslist anti-spam mechanism.”
It’s not the only one. There are, he added, “other desktop software products [such as] AdBomber and Ad Master. For spammers preferring a service-oriented approach, there’s ItsYourPost.” The result? “The defenses of Craigslist have been overrun. Some categories on Craigslist have become over 90 percent spam. The personals sections were the first to go, then the services categories, and more recently, the job postings.”
Of course, you don’t have to pay anything. There are now free CAPTCHA crackers available online.
Craigslist is fighting back. The organisation is now using phone verification for some ads. Crackers, in return, are working on a way to break Craigslist’s phone defences. With combat costs mounting, it’s hard to see how Craigslist, which has always been a free service, can continue to survive with its no-visible-means-of-revenue model.
It’s not, as the Craigslist situation shows, that malicious email is the only problem coming from broken CAPTCHA security. Paul Wood, senior analyst at MessageLabs, a UK-based e-mail security company, says, “MessageLabs have already begun to see examples of spammers exploiting other techniques once they have bypassed the CAPTCHA of Google and Hotmail – for example, using Google Docs to create spam content and including the link in the spam email messages, evading traditional antispam techniques that rely on identifying known spam domains in URL.”
Steven J. Nichols-Vaughn Tech World article (Computerworld U.S.
Update as of 4/25/09 (See spam-and-scam alert in main post):
The San Francisco “Computers and Tech” page seems to be much more aggressive at beating back the waves of spam that are swamping its New York counterpart, especially at night. And the probable explanation for this has more to do with hyperactive user flagging than in-built spam controls (which are for the most part the same across all Craigslist sites with the possible exception of flagging thresholds.)
SF Bay Area Craigslist is the local village market in the Bay Area ever since its its inception in 1995. Its presence is as built into the cityscape as the Golden Gate Bridge and the waterways that flow into its meandering bay. The locals are as protective of Craiglist as yokels are of the local village market.
The SF Bay Area Craigslist also happens to be the busiest Craigslist websites on the planet. Period. “Touching” this website (figuratively speaking of course) is like touching the edge of a fast-spinning mill wheel. This applies as much to legitimate users as to spammers who try to swamp its classifieds. It is interesting to marvel at this phenomenon, but Craigslist clearly needs to come up with a more solid solution to the problem of spam. Flagger-fatigue can easily set in and leave the San Francisco website looking like New Orleans after hurricane Katrina.
copyright© 2009 cyberaxis.wordpress.com