Hacker News new | past | comments | ask | show | jobs | submit login
A Pinterest spammer tells all (dailydot.com)
348 points by taylorbuley on Mar 27, 2012 | hide | past | web | favorite | 115 comments

There are multiple angles to this story, and each has a compelling narrative.

Social sites are not just games or freebies. They exist based on the premise that they can use human nature against itself in order to create free content from users to be consumed by other users. At the end of this road we have Facebook, where they spend tens of millions of dollars to program users to create and consume like you'd program an alarm clock.

The spammers of course are in it for nobody but themselves, so it's tough to ding them any more than the rest of folks. At least most of them seem honest about it.

There's a third party here too, though: the honest internet citizen who likes creating and sharing content and making money while doing so. They don't run bots and they actually review the stuff they talk about.

The spammers make their money because they can "fake out" the system to think they're the honest money-making folks. The danger here is that we're going to only end up with two giant contenders, the addictive social sites and the spammers. That the little guys get crushed. To me it seems that the web, once wide open, is closing in bit by bit. (That probably sounds hyperbolic. Apologies.)

The problem is that that third party is complicit in allowing this ecosystem to exist. If they would just pony up a dollar or two a month, they could exist in a world without spammers. That's all it would take.

The spammer in the article makes two thousand dollars a day from his army of spambots. Even if he started running two thousand bots on monday, he'd be pulling a profit by tuesday.

Payment would be the unique identifier. Creating a ton of email addresses to uniquely identify each account is easy. It's a lot hard to find multiple unique payment methods so you won't show up as the same person.

You can buy foreign Paypal accounts for $100-200.

If the unique id didn't work out you could charge per post instead. Spammers would post more than other users. Extra accounts or not. Is there any way to make payments like this easy?

Does Paypal not allow multiple accounts tied to the same bank account?

I've received a notice that I couldn't add a credit card because the number was already on my wife's account. Not sure if the same is true for checking accounts, but I'd imagine so.

They don't allow that. My wife tried to add her checking account to a business-related paypal account, but it was already on her personal account so they didn't let her connect it.

What you should do is unconnect it. The very last thing you want to do is to give paypal unfettered access to your checking account.

Why would you tie your paypal account to a bank account?

To get money out. (I don't have mine tied, because I don't receive any money via paypal, and probably never will because of all of the horror stories.)

Anyway, you can easily exchange "bank account" with "credit card" - and it seems that they don't allow that sort of thing, based on the other comments in this thread.

Yes, but they are also quick disable an account with suspicious activity. Some would say too quick.

You really only need the account for about five minutes, in order to register your spambot.

Sounds like I should take up Pinterest spamming.

The spammers make their money because they can "fake out" the system to think they're the honest money-making folks.

None of this is any different than basic capitalism. Now this isn't an anti-capitalism rant, it's just an observation. Rite-Aide and Walmart can buy entire city blocks and run their businesses at a loss for years to fake out and overcome honest citizens' businesses and we celebrate their success.

I suspect if people could invest in spammers there'd be a different public perception of them.

For your Walmart example, wouldn't that violate section 2 of the Sherman Act? In principle, it isn't a strategy the United States government allows.

> None of this is any different than basic capitalism.

Completely agree. I'm not sure I see anything wrong with what the spammer is doing. He may be polluting the Pinterest 'stream' with affiliate links, but it's not like the people on Pinterest aren't on there just to look at random stuff they may never see anyways. Obviously he must be showing people stuff they want if he's making money on it.

It shouldn't even be called spam since every link on Pinterest is technically solicited. Every user on there wants to see new stuff, that's the point of the site. It's nothing like email spam that I didn't ask for, or junk mail that was sent to my house just because they grabbed my info from somewhere.

Will Skimlinks (or someone similar) offer a reverse-affiliate service that strips affiliate IDs from links on your site instead of adding them? Does this already exist?

(It would be trivial for Pinterest to manually do this, say, for Amazon, which could instantly crush a spam model based only on Amazon, without any spam network detection/banning required)

Personally, though, I think affiliate links in social networks are pretty innocuous, if not slightly positive.

You'll always lose in an arms race that you didn't start.

If you start stripping affiliate IDs, I'll just write a redirector and link to that, or link to an existing redirector. Are you going to ban all of bit.ly? Or t.co? or letter.obscure_tld from your website?

We did ban URL shorteners on delicious.

It wasn't that hard to pick out URLs that were not user facing (that a bookmark let would never see)

Isn't it possible to first check if the URL behing a bit.ly is an affiliate link ?

There's a better way.

Make a crawler that follows your redirects. If it hits an affiliate page, you can presume (with some likelihood) that it's a spam link.

If you put in intermediate redirects that the crawler wouldn't pick up, there's a chance your targets won't either and you'll lose customers.

The crawler better be undetectable as such. For instance, it better send "expected" headers (User Agent, Accepts, etc.), and it better have cookies enabled, and also operate from many distinct and perpetually changing IP addresses.

Otherwise, the spammer will be able to run his/her own URL shortener service in a 5USD/month VPS and be able to show a spammy link to the users and a regular-looking link for the crawler.

BTW: a "crawler" implemented with Mechanical Turk workers would be a little bit harder to detect, but would also have its downsides.

"For instance, it better send "expected" headers (User Agent, Accepts, etc.), and it better have cookies enabled..."

How are these challenges exactly? Just set the user-agent and enable cookies. Done.

"...also operate from many distinct and perpetually changing IP addresses."

Okay. Change the IP it operates on every few days.

I'm building one of these at the moment.

It's to process URLs, and it's just a part of what I need, but knowing that others might like such a thing means I'll see if I can open it up afterwards.

I'm looking to achieve this by two methods:

1) If the link contains the ID of the end page (i.e. ASIN for Amazon), then reconstruct the URL of the end page.

2) For places in which #1 fails, follow the link and seek to determine whether a permalink or canonical URL exists at the end page.

Ironically I seek to strip affiliate codes in order to add my own in my given use case... but I'm using golang and am trying to structure it all in a flow based way in which stripping and adding codes are just separate steps.

So it doesn't seem to me to be too hard to then expose each side as a service by itself.

2) What if I build a redirect engine that doesn't redirect to an affiliate page at first and then turn on the redirect after your engine completes the permalink check? For example, if you do the permalink check when the story is published, I would have my engine wait 5 minutes or so before changing the destination of the URL to my affiliate page.

For my own work I plan to keep a store of ALL user submitted links.

I plan to iterate over it and do sane things with it: * Is it an embedded image and is Chrome reporting the domain as malware? = Convert to link instead of image * If it a link that was only transiently available? = indicate that it is no longer available and suggest searching instead

My aim is to self-heal user submitted content that links elsewhere, as much as it is to monetise that content where it's possible to.

I plan to visit links on a schedule and react as necessary. I hadn't really figured in affiliate spammers, but that would just be part of the self-healing now... detect change in destination and re-run the bit that strips affiliate codes.

Stripping affiliate links is pretty easy, however it's pretty hard to know all the possible combinations from all the networks.

Skimlinks already ignores their redirect if the link is already affiliated so I'm guessing they could just reverse this logic & have a solution.

I'm not suggesting that this is trivial to implement, but in principle, wouldn't it be fairly simple for Pinterest to identify these guys based on their 'social networks'? If a group of accounts only 'pins' posts of other accounts in that same group, that suggests either a spambot farm, or a very inclusive group of friends. False-positive detection could be decreased by looking at account sign-up dates, or profile photos.

It sounds like he only has one Amazon Associates account. Identifying all his accounts would be trivial, then -- find all accounts that have posted an Amazon link with the same associate ID in the URL.

Most of the experienced spammers fake the referrer. They'll have a scrub site setup which will appear as any blog. The spammer will spam links to the blog page (often using a url shortener); however the link will contain a id. If you visit the page with the id it will selectively redirect traffic to their amazon affiliate link, without the id link it will appear as a normal blogpost.

Amazon will think the traffic comes from the blogpost. The person getting spammed won't get any protection if they filter amazon links.

All they'd have to do is add a captcha to the submit. Trivial to implement and it would reduce the spammers.

That might help for sites with a small userbase. However these are large platforms with large clusters of users that can be easily contacted. They'll just invest in a captcha cracking service which runs at about a 1000 solved captchas for $3. If you ban datacenter ips, use dnsbl and scan for proxies, they'll switch to rented dsl lines.

On the other end are the users. If you ban proxies, finger their ports and ask them to solve a captcha every time they hit the submit button; you'll create some serious animosity. Stopping spam means having to invest, come up with complicated algorithms and you still might accidentally ban innocent users who will blog about this or tell their friends [1].

The real question is... does it matter that affiliate links are being posted if it needs a guide to let the everyday users notice it [2]. My niece doesn't even know what a affiliate link is and neither do most users. I mean if there's a 100% method to stop it, implement it. However, should you invest money and dev time into problems that nobody has solved to this date...

[1] http://acme.com/updates/archive/173.html [2] http://www.dailydot.com/news/how-spot-spammer-pinterest/

manual captcha breaking services are available for as low as $10 for 1000 captcha breaks. Most of the bots use them, just pass the captcha image to the service and there is someone at the other end who would just enter the characters and all of these happens within seconds. search deathbycaptcha etc.

CAPTHCA is trivial to implement, but is terrible for usability.

And in many cases trivial to circumvent http://www.wausita.com/captcha/

Amazon Associates allows you to create unlimited, unique affiliate IDs, tied to one AA account.

Partly true, but they're not unlimited; there's a maximum of 100 per account, and once created they can't be deleted, so it's 100 lifetime.

How do you scale that? Sure, you found him - but how do you find the others?

It's fun to imagine large social networks of bots which are indistinguishable (from Pinterest's/Facebook's/Twitter's P.O.V.) from human social networks. Here, it could be a 1-man spamming operation, but you can imagine government-scale astroturfing.

If he is pinning relevant pictures to themed board and simply doing it at scale, is he really abusing the site?

e.g: pictures of cakes on a recipe board about desserts that link back to a cookbook and he gets 4 cents per click through...

> simply doing it at scale

That's the most abusive part. As a Pinterest user I want to see what other real users are pinning. I don't want to see what 4,000 bots are pinning.

Everyone talks about authenticity in social media (that somebody wants to see "real" content from "real" people) which really makes sense because it is the most human thing. But what if the bots pass a Turing test and deliver relevant content with said links? Does it not become spam anymore? That's the weird part. All of the spam I get in my email I don't want because it is completely irrelevant. Same goes for ads on nearly every site. That's why it's spam: I don't want it, it's being forced on me, and is completely irrelevant to my productivity. But if some bot dug up something cool, isn't that just what gets defined these days as "targeted advertising"?

The utilitarian argument here invalidates this premise of the pins needing to be human, which is what is interesting. If you are getting utility out of it and you didn't know it was a bot, you are actually still better off.

The ancient email phrasing is "Spam is about consent, not content."

Having said that, you do make a very good point.

If a bot could find things I like, and put it in a sensible pinboard, then I'd probably follow it.

I don't care about Pinboard skimlinking any affiliate links, even ones I'm using. (another post in this thread explained how bots would avoid that limitation with redirects.)

I do mind, a little bit, if a bot owner is making hundreds of dollars a day by manipulating flaws in Pinterest, because arms-racing could make Pinterest much less useful.

It's not going to be cool though is it? AI is nowhere near being able to know what cool is.

A Turing test for spam?

I had a real love affair with Pinterest for one semester. Spammers or not, it is simply too crowded now. Last week, I found Piccsy. I'll be using it now in place of Pinterest until spammers arrive.

What ruined the product for you? In what way is it too crowded?

(I am not affiliated with Pinterest. Just curious from a product perspective.)

That is it. I loved it, I still like it, but with scale comes inevitable problems. Another reason is that I like something niche. At 13M users, it's mainstream and not for me.

Don't you need an invite for that?

If you have any handy, can you send one my way?

You do. I do not have an account yet, but I am already visiting the site a few times daily for refreshment. I plan on emailing info@piccsy and see if i can convince them to give me a few invites. Will def. share then.

EDIT: Email daniel at piccsy dot com. He's the founder.

Try Wookmark. I see it kind of like this: Pinterest:YouTube::Wookmark:Vimeo. It's super clean and easy to use, and it has a paid version where you can save private images and start private groups. http://www.wookmark.com/

He certainly has no qualms about calling it spam.

the obvious answer is he is obfuscating other, more valuable links that legitimate users are suggesting.

I'm a Pinterest newbie, but do you have to be the owner of a board to pin to it? At least the boards I am following now it seems I cannot pin to them.

When you create a board you can decide whether only you or you and contributers can pin stuff on that board.

The contributors have to be manually added to the board though.

As Google is killing more and more content farms, it makes sense spammers are moving towards sites that have tons of authority, and spamming there. Can't get "buy car insurance" to rank for your spamblog? No problem, create a fake question in Yahoo Answers with the keywords in your title, and a fake answer with your affiliate link. Repeat in Pinterest, Amazon Askville, Quora, etc.

This is a good point - i've seen a bunch of Facebook Notes page spam, using the Amazon affiliate program, on the first page for product SKU queries. It seems these pages can be created faster than FB can remove them, and they cycle into the first page of SERPs due to the massive domain authority of FB even though they're just spun Amazon affiliate content.

Spammers were doing that 6+ years ago. It worked. It still does.

Content farm = spamming to make money off of adsense and display advertising. What you are referring to would be more accurately termed a gateway page, for which the sole purpose is to direct a user off to an affiliate link or another site.

Affiliate links are filtered out of Yahoo Answers, or at least they were 4 or 5 years ago when I posted one.

You could use a redirection service. If they actually follow the redirects to the final destination, you could simply inspect the User-Agent header and redirect their automatic checker to a different page. If they pretend to be a browser by faking the agent, you can create a page with a hidden form (method=get, target=your_affiliate_url) that is submitted using Javascript.

Yahoo Answers is so 2007 when it comes to spamming...

Aside from the (good) conversation here, I'm actually shocked the guy agreed to an interview. How many HN people just spent some time thinking about how you would do one of these? Not that nobody could have possibly thought about pinterest spamming before, but this interview has certainly increased knowledge of it

Probably because he knows the end is coming quicker than he said in the interview.

Wouldn't be surprised if 90% of their amazing growth is actually spammers creating accounts by the million daily.

The interesting thing is that Pinterest founders have an incentive to look away, while promoting their growth to the VCs, raising massive rounds whilst potentially cashing out big time. Tumblr seems to be going a similar route, maybe its a Twitter-initiated trend of bot-generated companies?)

sounded very tempting at first, but since spammers are already releasing tools to do automated spamming, they might have realized that their methods wont work forever (otherwise they would be making an irrational decision, since they could make much more money by using them themselves).

there are actually plenty of bots out there already:



Pinblaster, you have got to be f* kidding me.

Please elaborate.

An easy way to find Pinterest spammers.


I think the spammer moved his affiliate tag to womansdesign-20.

It's also an easy way to generate a lot of false positives. To be a spammer does not mean to take advantage of affiliate revenue. I would say this method would be too sloppy to use by itself. It would need to be a small part of a larger set of signals.

Edit: DanielBMarkham's comment does a better job of conveying why this would be a bad approach.

I don't think it generates a lot of false positives. Obviously not every amazon link with an affiliate tag is spam.

Take a look at how many of the accounts there solely spam affiliate links from Amazon, are from a Twitter account, and repeatedly post the same items.

Right -- you just used three separate signals together to identify a possible spammer. I'm fairly sure we're on the same page.

We aren't on the same page. You think it generates a lot of false positives. I don't.

You don't, yet when you go to explain how it could be used you include two other signals (came from Twitter, posts many items more than once) in order to make it work. I had originally said "I would say this method would be too sloppy to use by itself. It would need to be a small part of a larger set of signals."

So alright, we aren't on the same page, but you're saying exactly what I just said.

No single heuristic is perfect. How about you tell us your 1 flawless method?

Just because I used 2 different signals to prove to you that the method doesn't generate a lot of false positives, doesn't mean that looking at amazon links is a bad method.

If I was at Pinterest, I would slap a captcha on all Amazon links with affiliates until I had time for a fancier solution, and it would probably get rid of 99% of the spam.

Breaking captcha is easier. Deathbycaptcha, decaptcher - Two of the services that provide clean APIs for the bots and breaks the captchas for you. And on the other end there are even human sitting and cracking the captchas. It doesn't cost much and for the $2k he earns per day, these captcha breaking service is just drops in the ocean.

http://pinterest.com/source/amzn.to/ has lots more, and they all have the default Twitter avatar which gives them away. Lots of them have terrible or inaccurate descriptions and are in the wrong category.

How are they not picking it up as spam? The same affiliate link from multiple accounts... The description also looks like a snippet of one the product reviews on Amazon

They aren't picking it up as spam because they aren't trying to stop spam. They will soon, and it will become very difficult to make much smaller amounts of money. Or, if they don't, they will end up in a place where pinterest is the Myspace of pinboards.

That's how the money is made, isn't it? Something gets re-pinned by others and the affiliate ID gets spread around. You'd need to determine which single affiliate IDs originate from multiple accounts.

So-called "skimming" of links does not strike me as being terribly wrong (or different from what Pinterest does itself), but the practice likely still undercuts their bizmodel because they don't skim links that already have affiliate ids attached to them.

It seems to me that it's pretty dumb to leave the affiliate ids attached. If anything, I think their initial idea of replacing affiliate links with their own affiliate smart. People don't like it, they can use another site.

In life there are often short-term gains that can be made by someone either lacking in principle or who simply fails to exercise it. In simple terms, in this world there are always going to be temptations to travel down a road that in the end leads to death. In this case, it is eventual financial death for the marketer.

I know the temptation is for this road to be traveled because it's most often the easier road in the short-run for someone to take. There is no doubt in marketing a product or service that you are going to have to knock on many doors. Most often this will mean having to spend money in the process of running ads in order to get the word out. Bots such as those used by the Pinterest spammer automate the process but do so by taking advantage of loop-holes in the system and in so doing exploit whatever platform they are using (in this case Pinterest).

It is one thing to offer a product or service and to let people know about it and quite another to use technology to exploit a Platform for the purpose of sending unsolicited information to those who you do not know. There are better ways to market products and to profit from the sale of them through proven, sound marketing strategies.

The use of spam bots are not a reflection of anyone who has pursued an education of good marketing techniques. Such people only serve to give marketers in general a bad name. Those who pursue get rich quick strategies like this are not they type of people that endure for the long-run.

Frankly this sounds like what Pinterest should be doing for revenue. Isn't basically what promoted tweets are for Twitter?

Promoted tweets are a fucking scourge, at least so far. I've seen two - both times for something totally irrelevant to me. (What the hell is the Shell Houston 2012 Open? I have zero idea, and less than zero interest.)

I agree I don't like them either. I thought Twitter was going to settle on having people with >XX,000 followers pay something, Freemium style. But I guess ads are a better moneymaker and they will convert better in the feed.

> I thought Twitter was going to settle on having people with >XX,000 followers pay something, Freemium style.

That seems weird, like punishing people for their success, or letting others decide how much they should pay. (Unless, I suppose, that once you hit XX,000 followers nobody could follow you until you paid up.)

The few promoted tweets I have seen were frighteningly targeted.

I'd be happy to learn that I'm hard to market to.

What exactly is outrageous about a community service like Pinterest or a forum using Skimlinks?

I don't get it either. The only thing that wouldn't be kosher would be replacing existing affiliate links with their own, but I don't think they were doing that

If they had just disclosed that they were doing it no one would have cared.

I disagree. The story of Pinterest using Skimlinks became controversial because bloggers made it so. It was fake, manufactured outrage. If they disclosed it beforehand the same thing would have happened anyway. It would've been in their TOS or something and we all know that when bloggers have nothing to write about they peruse a bunch of TOS agreements looking for some outrage to manufacture. They would have come across it, manufactured the outrage, and Pinterest probably still would've ended up ceasing use of Skimlinks.

I'm being speculative here, I know but I think you are too. I think there'd be controversy regardless of disclosure though not disclosing it sure helped make the outrage easier to sell.

Let's say you are a "regular" user. You "pin" x number of pins/frequency (hr/day/whatever). This establishes a normal activity baseline. Filter by "pins" that have links that have affiliate codes in them. Now, it has been shown that Skimlinks can identify these links and replace them. If that is the case, they can count the number of affiliate unique id's in their system across pinterest accounts, thereby linking seemingly disparate accounts by their affiliate links. Unless this guy is running game with multiple affiliate links or affiliate links are uniquely generated on a per item basis then I think Pinterest can put a stop to this.

Sucky thing for pinterest to deal with and it's only going to get worse for them - the obvious spam is just the tip of the iceberg, the more insidious stuff can go undetected pretty much forever judging by HN, Reddit etc.

you can't say that without elaborating, lol.

First of all: They believe a screenshot to prove identity?

I could've faked that in 10 seconds with Firebug and then told them I make like $10,000 a day with my super hardcore h4ck0r bots and the would have believed it I guess.

> we found tons of bots that traced to your Amazon affiliate account

This suggest a trivial fix for the problem on Pinterest's side, doesn't it?

I think he is using URL shorteners or custom URLs that looks like a blog but are a redirect to an affiliate URL. Now they'd have to start examining the URLs in detail, which is a lot harder. Especially if he cloaks for access that looks to be coming from Pinterest themselves.

If I were tasked with detecting these, nothing would run from a Pinterest IP address. Use throwaway VPS hosts on different blocks and replace them regularly.

For that matter if I were tasked with posting this spam, I'd do the same...

I own 10K bots, each one post 10 pins daily, 1 random pic + 9 good pics. 9 over 1 makes the pin quality above average. Everyday I choose 10K pics for every bot to pin as random pic. The 100 pics get most clicks become good pics in the next day. I call my bots collaborative content election system, but not spamfarm.

Does anyone know if Steve's actions are legal under United States law?

I don't think it violates any specific law, but I'm guessing that a prosecutor could come up with some charges if the website hired good enough lawyers. Charges similar to the ones you see for denial of service or computer fraud.

There's also FTC disclosures to worry about, although I'm not sure if it covers posting affiliate links to another site.

"Trust me when I say Pinterest is NOT invite only."

How is that? Where is the hidden registration button? Or do you simply get an automated invite after you request one?

The latter. The delay (if there is one) isn't too long.

I had no idea it was that lucrative. I expected revenues maybe in the 100s per day.

This story is going to bring a lot of new "fresh blood" into spamming SNs.

That's what I was thinking... I assumed the click-through rate of Pins was terrible, it's quite difficult to even figure out that you can.

Where can I get one of these bots? This seems too good to be true!

Here's where you can find it > http://bit.ly/GZd7I1

Everywhere I go, I find a spammer has been there before me.

How do these scumbags get so many IPs? Botnets?

"And women will fall for it instantly"? WTF

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact