

Other Examples of Craigslist Spam Tactics [NSFW] - chromano
http://ezliu.com/craigslist/

======
elliottcarlson
So I treaded on the dark side at one point, and was hired to write a
Craigslist spam application. It was pretty simple and would automatically post
to all the Erotic Services sections in all the U.S. localities with randomized
(a huge set of varying titles, descriptions and photos - that could all be
localized specifically to where it was posting) postings, randomized emails,
obfuscating the text further by using shades of black for each letter - then
solving the captcha and auto-responding to the email to publish the posting.
It would do this every 20 minutes, 24/7.

The results for spamming adult dating affiliate links was pretty interesting.
On average it would earn $1k a day, with most holidays jumping up to $2k a
day. One very religious holiday in particular (won't mention which one to
single any group out) brought in $3k. In one single day.

As long as spamming people with affiliate links will work, and makes them
money - someone will do it.

~~~
pcopley
Ever think about swapping out your own affiliate link for a small percentage
of the posts?

~~~
elliottcarlson
Well - part of the deal of me writing the app for the guy was that I would use
it too. So the numbers I am reporting were my personal profits off of it - and
I had a much lower posting frequency as not to compete directly with the guy
who hired me to write the app. He ended up abusing the system and changed the
configuration to go like every 5 minutes which caused Craigslist to make
various changes like removing the ability to add links in the postings, then
they changed the captcha system (which was still easy to bypass) and then
finally they moved to recaptcha (I believe). I don't know how much more the
other guy ended up making but I know he was easily pulling in more than me.

~~~
pcopley
It's fascinating how much money there is in things that are at best ethically
unsound and legally questionable, and at worst completely illegal (no real
shocker in the latter, though).

------
ilamont
My company is creating a mobile classifieds platform. On the company blog,
I've spent some time analyzing Craigslist scams ("Five Craigslist rental
scams" <http://invantory.com/2012/04/craigslist-rental-scam-crisis/> ) as well
as spam ("Craigslist 'by dealer' categories and dealer spam",
[http://invantory.com/2012/04/craigslist-by-dealer-
categories...](http://invantory.com/2012/04/craigslist-by-dealer-categories-
and-dealer-spam/) ).

Craigslist puts in a lot of effort to warn people about common scams, yet the
problem persists in the high-value categories. This is especially true of
rentals -- I get a Google Alert every week of Craigslist-related crime
appearing in news reports, and half or more are rental scams. How can people
miss the warnings and get conned? Part of the reason relates to smart social
engineering, as the OP suggested -- girls, convincing sob stories (active duty
military deploying overseas is a common hook), well-written emails, great
prices that are almost too good to be true. The scammers are constantly
running tests to see what works best and then applying them to multiple areas.
But the other thing is the nature of buyers, who may only come to Craigslist
once every few years and may assume that because their last experience turned
out good, their next one will, too.

On the spam front, "flagging" is one of the main weapons CL uses to fight
things like overposting, top-posting, miscategorized posts, etc. Unfortunately
the system has broken down in many markets. Check out some of the cities in
Western Canada, which are overrun by spam (see "Craigslist Canada: Ticket
spam, giant markets and dead areas" <http://invantory.com/2012/04/craigslist-
canada/> ). Dealers and spammers using manual or automated means simply
overwhelm the categories, and there aren't enough active flaggers to mark the
violators -- or people have simply given up.

Classified marketplaces really interested me, and if anyone wants to talk
about Craigslist or mobile classifieds, I can be reached via the websites
listed on my HN profile.

~~~
lnanek2
Flagging can be unrewarding to the flagger as well. If I'm hunting an
apartment deal, email 100 ads, determine 70 are fake, flagging the fakes to
remove the ads I already know are bad is just going to bring in more
competition for the places I want. A lot of fakes reuse something, like
pictures or contact information, etc. so you can identify their future posts
as well.

The real world rewards are huge. I know people who have sublet a place worth
$5k USD/month from someone for $2.5k USD/month because they hunted for a deal
and found someone who had to go move and take care of their parents ASAP and
that person didn't have any other immediate takers pop up so quick.

------
callmeed
I think it's very important to distinguish "spam" from "scam".

What AirBnB did was a little spammy (and probably violated CL's ToS). Same
goes for ODesk and other freelance boards (I got one from HireTheWorld just
the other day).

When someone wants all your personal information or help moving (i.e.
"laundering") money overseas, that's an entirely different animal.

~~~
dabent
If I understand correctly, AirBnB directly posted to Craigslist, where most of
the spam emails (such as the roommate or oDesk emails) look to be the work of
third-party affiliates. I'm not condoning AirBnB's methods, but there is a
subtlety here that makes affiliate spam even harder to battle.

Lots of companies use affiliates to do the dirty work for them, then ban
affiliates that get caught. New affiliates pop up, or the banned affiliates
create new accounts and start over. That leaves sites like Craigslist in the
unenviable position of playing whack-a-mole to try and ban spammers.

Other variations on these include fake profiles of women on (insert social
networking site her) who inexplicably "friend" men and entice them to sign up
for dating/adult sites where the target can see more photos, and gambling
instruction guides/beat the casino secrets uploaded to torrent sites for free.
Naturally affiliate links to lots of online gambling sites are embedded in the
guides.

I guess the takeaways are:

1\. Never trust user generated content.

2\. Whenever there's a way for people to produce content (effectively) for
free, the affiliates/scammers will be there. I built a rental-listing site a
few years back. Not long after I stared getting real listings, I started
getting rental scams. I had almost zero traffic, but the tiny blip on the
radar screen my site produced drew scammers like flies.

4\. It's often better to ask forgiveness than permission. What repercussions
did AirBnB suffer for their posts? What real repercussions do any of the
spammers face?

5\. Just writing about affiliate marketing, well, at least this side of it,
makes me feel icky.

~~~
lnanek2
> I had almost zero traffic, but the tiny blip on the radar screen my site
> produced drew scammers like flies.

It's worth pointing out, that if you used some sort of standard back end like
Wordpress or some other user content system, there are bots built to search
the web for those and post to them automatically. I wouldn't put it past
someone to throw in a check for if it is real estate related and handle
slightly more advanced back ends like Drupal.

~~~
dabent
The rental site was home-grown, but scammers still managed to find it. I
noticed an ocean-view apartment in Miami for about $300 a month, which seemed
odd. After some investigation I learned about scams and began checking for
ultra-low rents, etc.

I did have a Pligg site I put up as a quick project and that was a victim of
the automated searches for the "submit" page of a Pligg site. Even adding a
CAPTCHA didn't help, so I assume offshore workers were adding links manually.

------
prodigal_erik
Spam is absolutely not a grey area. "it is NOT FUCKING ACCEPTABLE for a
_single_ post that is from a _person_ talking to other _people_ to be deleted,
to be dropped on the uncaring floor to make room for machine generated spew."

—<http://www.eyrie.org/~eagle/writing/rant.html> (actually about Usenet, which
was wrecked by the same sort of predatory scum)

~~~
eli
That quote could equally be applied against whole categories of anti-spam
products.

~~~
jgmmo
and anti-viruses...

------
pbh
ezl does not seem to have gone all the way down the rabbit hole with the oDesk
tracking link. (I work at oDesk, but not on this, so I was really curious.)
After about 3 HTTP redirects, the www.dpbolvw.net link seems to turn into some
sort of affiliate link. So my guess is that a (possibly errant, but presumably
very data-driven) affiliate was the one sending him e-mail about oDesk, rather
than oDesk itself.

That seems to raise a broader question, which is: to what extent should
companies be blamed (and thus try to control) for the actions of the people in
their affiliate programs? Would you be unhappy about a blog purporting to be
by a cute ice cream eating girl filled with recommended books with Amazon
affiliate links? What are the standards in this area, exactly? (On reload, see
_dabent_ 's comment below as well.)

------
vaksel
craigslist could probably eliminate a ton of spam by simply editting out the
urls that go thru it's email system.

i.e. if someone includes <a href> inside the email body, simply unscramble it
and show the full link.

And on the bottom of the email spell out a warning about affiliates.

This will eliminate most of the spam that goes out to people who list stuff on
craigslist.

To fight spammers that list fake listings to gather email addresses...simply
implement a private message system for craigslist. Then you can analyze all
emails that get sent to users and do the same trick as #1.

You can also limit exposure by blocking messages based on user IPs. Chances
are someone from China listing in New York craigslist is a fake.

~~~
uxp
> You can also limit exposure by blocking messages based on user IPs.

Craigslist already does this to an extent in their high volume categories. For
example, one cannot post Job Listings in highly populated areas (like New York
or San Francisco) unless the posting IP address comes from a place near there,
and the account is verified via a phone call. Anyone not fitting this
description must pay a certain amount of money.

The other side of the coin is the blackmarket selling of Phone Verified
Craigslist accounts along with proxy lists in those same markets which can
effectively bypass any IP filtering put in place.

------
juanpdelat
Would appreciate a NSFW disclosure, thanks!

------
chromano
Modified the titled to reflect possible NSFW image

------
danso
The freecreditreport spam is amusingly clever.

Wish the final pic had a NSFW warning though.

------
ericd
I'd say the others usually constitute fraud, so I wouldn't really give them a
free pass... Also, the african missionary apartment scams are also looking for
wire transfers of prepayment of rent.

------
igorsyl
"Respond to ads where people are seeking roomates. If they respond back, game
on." I've seen most posts ask for not non-solicitation.

~~~
windsurfer
Yes, and that's great. To AirBnB, non-solicitation means less competition,
because they are going to solicit anyways.

------
gcb
Hehe, and didn't even tried the car section.

I now avoid any car with steering wheel covers in the picture as all the wreck
scams I've seen had them.

Safer to miss the few false positives.

~~~
sixQuarks
Can you elaborate on these "wreck scams"? How does that work?

~~~
gcb
Buy car at charity action. Most are <2000 with engine problems. $2000 in Cali.
Tops.

Clean it incredibly well.

Put a steering wheel cover.

Sell at Glendale for 6k to 10k as if it's a private sale.

~~~
sixQuarks
well, that's not really a scam. That's just arbitrage.

