"Spim" is Latest Online Annoyance

Pcol writes "The Washington Post reports that 'Spim,' as people are beginning to call unsolicited instant messages, is the latest sign that online marketers will seek to take advantage of other communication tools, not limiting themselves to spam or pop-up ads. The good news is that it's not easy for spimmers to send unsolicited instant messages. Instant message providers like AOL, Microsoft and Yahoo have a lot of control over their instant message networks, and since they look at their IM offerings as gateway services that help draw customers in to their paid Internet offerings, these firms are already committing resources to making sure the spim problem never reaches the same scale as spam." Even without the providers assistance, many people who use IM systems are smart enough to limit incoming messages to those from their buddy lists. Still, there must be enough of a success rate to move spimmers to continue messaging users.

Locating Spimmers

[cronot]

Wouldn't the nature of Spim (Spam via IM) make it easier for the Spammers to be located? Or could they just use a spoofed address anyway?

Unfortunate name choice

[yerricde]

I thought "SPIM" was a PC program that simulates a generic MIPS architecture processor, used in computer architecture courses in computer science and computer engineering curricula.

Light on details

[mr100percent]

This article is pretty light on details. Where do they get your screen name? (I guess handle is out of fashion) Chat rooms I imagine, but has every spimmed person been in a chat room at some point? Or does everyone fill in their name in their UBB forum profiles?

AOL/AIM seems to have it worst, lots and lots of porn spims. Never had a problem with Yahoo but I remember a /. story about spam on MSN.

Wouldn't it be harder to spam on MSN and Yahoo? Don't they crack down on unauthorized clients, while AIM has the open-source TOC protocol?

SPAM by any other name

is still Shit Packed Around Mucus(SPAM). Not news, just another thing that must be legislated out of existance. Outlaw companies that sell product advertised through these methods. The Spammers will die off. Simple, easy, they have brick and mortar assets that can be seized.

User reporting

[Aneurysm]

Last year I had a lot of spam from users on AIM, it stopped after a while, but I got a few a day for a few weeks, before it tailed off. I haven't had an unsolicited message now for over a year. The point was that the ignore lists didn't work, because although it was presumably the same spammer, or group of spammers, the screen name was never the same twice. I think what programs like AIM need is a one click button, that marks the person as a spimmer. If say 5 or 10 DIFFERENT people mark the same user they could be marked as a spimmer, and AIM could be set up to automatically ignore IM's from spimmers. Very similar to the warning level, but subtely different, because the warning level controls the spimmmers send rate, whereas this method puts the control in the hands of the people on the recieving end. You could also allow people to alter the spimmer level they accept messages from.

Obviously...

[scovetta]

You have how many users on AIM and Yahoo combined? 50 million? I don't know, but it has to be around that many. Even if 1% allow IMs from "anyone", that's a nice target base. Not to mention that, but the harvesting of IM-screen-names is starting to become serious-- how many times have you clicked on a link in someone's profile? That damned %n may be the death of us all. Of course, the answer is to just not allow IMs from people off of your list, but this just goes to show that we NEED some legislation that will take the "low-risk" out of sp[ai]mming. California has done a good start, but we need something to start with. Yes, I know that sp[ai]mmers are acting in many ways illegally, but there isn't much precedent for me tracking down a spammer by affiliate ID on a V1agra site and suing him. Maybe that's all we need...

counter-spamming

[Stephen+Samuel]

I currently still think that the best way to counter spam, right now, is to attack their business model. Right now, that consists of convincing poeple to actually start responding to spam by providing them with bogus infomation (random addresses and phone numbers, void (old or auto-generated) credit cards, etc/).

My idea is to drown them in bogus data so that they spend more time and money responding to bogus responses than they would with old-fashioned cold calling. It would also remove the advantage of increasing spamming volume because the spammer with the highest volume would also get the most garbage responses.

Thoughts?

Just Bill or Stall the Spimmers

[G4from128k]

Network providers could prevent Spim by letting IM recipients the power to bill or stall a Spimmer's account. For closed subscriber-only networks, the network provider could give IM users a "bonk-that-IMer" button. Each time a Spim appears and the recipient hits the "bonk" button, the Spimmer's account gets a $0.25 charge or is prevented from sending another IM for 30 secs or a minute.

Billing Spimmers would be a good way to raise revenues, but would be a nightmare for anyone whose account was highjacked. Stalling a spimmer's account might be a better way to make spim too labor-intensive to be useful (although maybe spimmers would just outsource to India or China and pay people $1/day to slowly send spims).

Even AOL Spims!!!

[mokolabs]

A few weeks ago, I got spimmed by someone promoting the new version of AOL 9.0.

Sadly, I deleted the chat log just a few days ago, but here's a rough recollection of my conversion with AOL's marketing gimp:

archer97: downloaded 9.0 yet?
mokolabs: nope
archer97: it's pretty sweet
archer97: check it out
mokolabs: no thanks
archer 97: it's a big upgrade
mokolabs: do i know you?
archer97: lol
archer97: no

Has anyone else run into this? I'd love to spin this story back at AOL (who apparently approves of spim as long it's the one spimming).

Re:This has been going on for years

[stilwebm]

ICQ made it slightly easier than other Instant Messaging clients. All you had to do was send a message to UIN's, starting at perhaps 1000 and working up to 10000000 and beyond. Spread it out over several IPs and several days and it's harder to notice. With AIM, Yahoo and MSN, you have to try alphanumerical combinations, increasing the number of possible combinations. I first noticed ICQ spam when installing an early version of LICQ (late 1997 or early 1998 I believe) and telling it to reject messages from users not on my contact list, then checking the logs for rejected messages. The log file grew several kilobytes per week. Windows versions at the time did not log rejected messages.

Of course they were almost 100% adult sites, mostly people saying "Hi I'm Lolita from Moscow U."

Re:Meh, relatively easy to get around.

[gvonk]

See, what I prefer is the Trillian plugin I've got that offers a challenge/response for anyone not on my buddy list, and it is completely customizable.

Mine just says "What is my first name?"
If they get it correct, they can send me a message. Wrong, and they can't... Pretty simple.

Now, if someone does a dictionary attack on me and brute-forces their way to my name, I'm in trouble...

Re:Where they probably get your screen name

[adzoox]

I'm sure they harvest from places like /. as well.

I've been getting "botted" lately. It's where you'll get this message that says something like:

"I liked what sent me"

You reply and it says:

"So what are you up to?"

Based on your reply - it will "sense a mood" but the reply won't make any sense

Then it sends a link saying you've been talking to a bot - download it (link)

I think a way to stop some IM spam or SPIM, as this article is calling it, is to prevent URLs from IMs. That way, if someone were getting around it, you'd know. They'd have to spell it, like they do in personals ads.

"Visit my website at double u double u double u dot horny dot c.u.m"

I send this message, eventhough it probably does little good, if I suspect SPIM:

"Just to let you know - if you are an IM spammer ... I have a new IM client called FIRE - it can send four viruses directly through IM if you respond. You are low life scum...otherwise hello.

Re:Strangers are just spimmers you haven't met yet

[dasmegabyte]

I use IM to do customer support with clients and prospective clients. I can't hide myself away without running the possibility of missing somebody. IM is, for me, mission critical and part of that is unfortunately keeping myself wide open.

Good news is, I don't maintain a profile. I hazard that's where spimmers are harvesting their addresses, because my IM screenname is ALL OVER the website yet none of my work IM accounts has ever gotten. My home account has gotten them...it has a profile, too. There's no real reason to have a profile unless you're looking to meet new people over the client...and it looks like some of those new people want me to check out their new porn websites.

And this is the heart of the problem

[shawn(at)fsu]

Still, there must be enough of a success rate to move spimmers to continue messaging users.

You could almost guarantee that if no one clicked those popup adds or if no one responded to Spam then the Spammers wouldn't send it.

I mean a few companies would use their advertising budget for spam, waste it all because no one that it reached bought anything and that would be the end of it. Other companies would learn form those failures.

But that isn't happening. Obviously allot of people respond to this advertising right?

Maybe Spam is just another example of our society attacking the symptoms and not the cause.

Not that I am defending Spammers I hate them and I hate the people who respond to the Spam just as much if not more so.