Slashdot Mirror
"Spim" is Latest Online Annoyance
Pcol writes "The Washington Post reports that 'Spim,' as people are beginning to call unsolicited instant messages, is the latest sign that online marketers will seek to take advantage of other communication tools, not limiting themselves to spam or pop-up ads. The good news is that it's not easy for spimmers to send unsolicited instant messages. Instant message providers like AOL, Microsoft and Yahoo have a lot of control over their instant message networks, and since they look at their IM offerings as gateway services that help draw customers in to their paid Internet offerings, these firms are already committing resources to making sure the spim problem never reaches the same scale as spam." Even without the providers assistance, many people who use IM systems are smart enough to limit incoming messages to those from their buddy lists. Still, there must be enough of a success rate to move spimmers to continue messaging users.
Remember those weblinks you used to get from strangers on ICQ? This is hardly a new and emerging trend.
This is the Window's messenger service, which shouldn't be confused with Window's or MSN Messenger.
I have AIM set to only allow people on my buddy list to contact me. If you're not on it, to you it looks like I'm offline. Not possible to get "spim" this way, unless it's one of my friends sending it.
The only problem comes when someone that's NOT on my buddy list wants to talk to me. Usually it's not a big deal, they can just e-mail me and I'll add them to the list later. It is somewhat inconvenient, but better than getting 10 IMs a day telling me to go to porn sites.
There's a middle ground, which is asking for your authorization before it shows the IM window, but I never found this to help - it was always too tempting just to click the "see message" button to see what they were sending me. So that didn't really help much.
.. which is why using the 'hide name' feature on AIM or whatever your using solves the problem rather neatly. Anyone who you want to IM with can still IM as long as they know your name, but casual browsers can't see you.
Where do they get your screen name?
I'm assuming with ICQ they just run through all numbers from about 5 digits to 9 digits (or whatever ICQ's up to these days). With MSN IM most people use their hotmail address as identifier (because you don't have to go through the process of registering another email with MSN, IIRC). Hotmail addresses are easily obtained, through a variety of methods (guessed, harvested, purchased...). I'm not sure how hard it is to obtain AIM or Yahoo screen names. I don't think it has to do with the protocol being open or not, though. I think the people at Trillian and Gaim have basically opened all the protocols. I think the "spim"ers aren't using protocol exploits (although I could be wrong), I think they're just obtaining screen names.
"Now gluttony and exploitation serves eight!" - TV's Frank
Is it obscure? I suppose it depends on which part of the world you live in? When we did Canterbury Tales at 'O' Level, this was always our favourite part.
Now, gentleman, this gallant Nicholas
One day began to romp and make a pass
At this young woman, in a mood of play,
Her husband being out down Osney way.
Students are sly, and giving way to whim,
He made a grab and caught her by the quim
And said, 'Unless I have my will of you
I'll die of secret love -- O, darling, do!'
Then held her haunches hard and gave a cry
'O love-me-all-at-once or I shall die!'
The Miller's Tale, Geoffrey Chaucer
digging deep into my 14-year-old-loser-in-his-parents-basement history, I remember the days when you could run a "phish"ing program in AOL. It would scrape the screen names from a couple dozen chat rooms, and mass-IM them a message saying "AOL billing has lost your password, just reply with it or your account will be disabled". I know we're talking about aol-ers here, but those retards would reply about 1 in 50. Eventually AOL added little red text to the bottom of every IM saying "we will never ask you for your password" but even then it was still very effective to just IM about 2000 people. The thing is, it only took three people "reporting" you for your account to get disabled.
So AIM now seems to have this mostly under control with the rate-limiting. Getting people's IM names will happen much the same way emails are harvested, forums, personal web pages, etc.
Here's an annoying little brain teaser. Imagine every ISP had standardized on something like Jabber and we didn't have this proprietary mess we do now with AIM/MSN/Yahoo. How would we provent spim then? Wouldn't it be just as subject to being raped as SMTP?
Yahoo has it's 'user directory' - which you can opt out of.
However, the biggest offense on Yahoo is the 'chat rooms'. I can't count know how many times that 'marketing bots' have wandered into one of the totally innocous chat rooms and spew 'porn-o-matic' messages into the room (complete with links) and vanished.
I also suspect that the 'spam bots' on yahoo chat rooms do 'profile lookups' of people in the rooms they see and do an email harvest.
It's not a hard fix to get rid of - but it has to be done by Yahoo. Messenger has an 'ignore feature, and if you had an option to 'auto ignore' anyone who spoke a URL aloud (ok, you MIGHT get real people too - but how often do YOU state URLs in casual convertaion. Maybe a bad question to ask
However, Yahoo provides a free service - so there is no real incentive to fix it. There a few 'third party' proxy programs that allow you SOME of this added functionality. Perhaps such anti-spim features will be in an 'upgraded' pay service
Any thoughts on blocking this? The fact that it continued to play makes me wonder what's going on.