"Spim" is Latest Online Annoyance

Pcol writes "The Washington Post reports that 'Spim,' as people are beginning to call unsolicited instant messages, is the latest sign that online marketers will seek to take advantage of other communication tools, not limiting themselves to spam or pop-up ads. The good news is that it's not easy for spimmers to send unsolicited instant messages. Instant message providers like AOL, Microsoft and Yahoo have a lot of control over their instant message networks, and since they look at their IM offerings as gateway services that help draw customers in to their paid Internet offerings, these firms are already committing resources to making sure the spim problem never reaches the same scale as spam." Even without the providers assistance, many people who use IM systems are smart enough to limit incoming messages to those from their buddy lists. Still, there must be enough of a success rate to move spimmers to continue messaging users.

This has been going on for years

[Metasquares]

Remember those weblinks you used to get from strangers on ICQ? This is hardly a new and emerging trend.

Re:This has been going on for years

[garcia]

it also happens when you show your personal information to anyone on the service. Disable that option (on AIM) and they don't find you.

Better option yet... Don't let anyone contact you that isn't on your list. If they can't search for you in the first place it won't matter if they can't contact you if they happen across your AIM screen name.

Re:This has been going on for years

[stilwebm]

ICQ made it slightly easier than other Instant Messaging clients. All you had to do was send a message to UIN's, starting at perhaps 1000 and working up to 10000000 and beyond. Spread it out over several IPs and several days and it's harder to notice. With AIM, Yahoo and MSN, you have to try alphanumerical combinations, increasing the number of possible combinations. I first noticed ICQ spam when installing an early version of LICQ (late 1997 or early 1998 I believe) and telling it to reject messages from users not on my contact list, then checking the logs for rejected messages. The log file grew several kilobytes per week. Windows versions at the time did not log rejected messages.

Of course they were almost 100% adult sites, mostly people saying "Hi I'm Lolita from Moscow U."

SPIM

[kelceylehrich]

But there isn't a hated semi-meat food called spim. The cultural connotation won't be enough for people to hate it. We should call it pork-rhinds.

Re:SPIM

[DrEldarion]

I worked at a grocery store for 7 years, and I can tell you that neither spam nor pork-rinds were hated. You'd be VERY surprised at how often they both went through the line. These weren't people who could only afford spam, either, this was in upper-middle-class suburbia.

this is your chance

write a program that automatically configures im clients to only accept incoming messages from the buddy list and sell it for 100$!

problem is, i'll bet someone will actually do that...

Locating Spimmers

[cronot]

Wouldn't the nature of Spim (Spam via IM) make it easier for the Spammers to be located? Or could they just use a spoofed address anyway?

It'll never be a real problem because...

[Space+cowboy]

... it's obviously in someone's best financial interests to make sure it's not a problem, and they have the means to ensure it - if only it were the same with email...

Simon

Re:It'll never be a real problem because...

[chumpieboy]

I'd say there are many corporations that have a financial interest in stopping email spam.

In actuality, the big three IM companies have the luxury of developing their own protocols and applications, and to have the opportunity to make changes to their own code and specs to stop SPIM.

Nothing short of a massive rewrite of the RFCs *and* mass migration to new MTAs compliant with the new RFCs will accomplish the same for SMTP.

hrmm

[acehole]

So uhm, what's your icq/msn/aim/yahoo!/jabber numbers?

Unfortunate name choice

[yerricde]

I thought "SPIM" was a PC program that simulates a generic MIPS architecture processor, used in computer architecture courses in computer science and computer engineering curricula.

Light on details

[mr100percent]

This article is pretty light on details. Where do they get your screen name? (I guess handle is out of fashion) Chat rooms I imagine, but has every spimmed person been in a chat room at some point? Or does everyone fill in their name in their UBB forum profiles?

AOL/AIM seems to have it worst, lots and lots of porn spims. Never had a problem with Yahoo but I remember a /. story about spam on MSN.

Wouldn't it be harder to spam on MSN and Yahoo? Don't they crack down on unauthorized clients, while AIM has the open-source TOC protocol?

Re:Light on details

[peter_gzowski]

Where do they get your screen name?

I'm assuming with ICQ they just run through all numbers from about 5 digits to 9 digits (or whatever ICQ's up to these days). With MSN IM most people use their hotmail address as identifier (because you don't have to go through the process of registering another email with MSN, IIRC). Hotmail addresses are easily obtained, through a variety of methods (guessed, harvested, purchased...). I'm not sure how hard it is to obtain AIM or Yahoo screen names. I don't think it has to do with the protocol being open or not, though. I think the people at Trillian and Gaim have basically opened all the protocols. I think the "spim"ers aren't using protocol exploits (although I could be wrong), I think they're just obtaining screen names.

Re:Light on details

[Wintensis]

Yahoo has it's 'user directory' - which you can opt out of.

However, the biggest offense on Yahoo is the 'chat rooms'. I can't count know how many times that 'marketing bots' have wandered into one of the totally innocous chat rooms and spew 'porn-o-matic' messages into the room (complete with links) and vanished.

I also suspect that the 'spam bots' on yahoo chat rooms do 'profile lookups' of people in the rooms they see and do an email harvest.

It's not a hard fix to get rid of - but it has to be done by Yahoo. Messenger has an 'ignore feature, and if you had an option to 'auto ignore' anyone who spoke a URL aloud (ok, you MIGHT get real people too - but how often do YOU state URLs in casual convertaion. Maybe a bad question to ask /.'ers ;> ).

However, Yahoo provides a free service - so there is no real incentive to fix it. There a few 'third party' proxy programs that allow you SOME of this added functionality. Perhaps such anti-spim features will be in an 'upgraded' pay service :p

Spim? spim! where's the monty python refreence

[JamesD_UK]

Well, there's AOL messenger and Yahoo! messenger; AOL messenger MSN messenger and Yahoo! messenger; AOL messenger and spim; AOL messenger Yahoo! messenger and spim; AOL messenger Yahoo! messenger MSN messenger and spim; spim Yahoo! messenger MSN messenger and spim; spim AOL messenger spim spim Yahoo! messenger and spim; spim MSN messenger spim spim Yahoo! messenger spim tomato and spim; spim spim spim AOL messenger and spim; spim spim spim spim spim spim baked IRC spim spim spim......or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried AOL messenger on top and spim...... Well, there's spim AOL messenger MSN messenger and spim, that's not got much spim in it.

I don't want ANY spim! Seriously though, since when was this news? I remember receiving spam^H^Him years ago in ICQ.

Easy to block spim when I'm on the computer but...

[Pepp7]

... my aol IM get forwarded to my phone when I'm not online. That's when it gets really annoying... Anyone know a way to stop this?

ICQ?

[Dunarie]

Jeeze, anyone that has left ICQ running for more than an hour has gotten "spim", since the "spimmers" can do just like telemarketers do, and go through the numbers untill they get someone. I remember getting a really 'sexy' spim message one time while I was away, my dad nearlly grounded me thinking it was someone I knew that I cybered with. :(

Meh, relatively easy to get around.

[DrEldarion]

I have AIM set to only allow people on my buddy list to contact me. If you're not on it, to you it looks like I'm offline. Not possible to get "spim" this way, unless it's one of my friends sending it.

The only problem comes when someone that's NOT on my buddy list wants to talk to me. Usually it's not a big deal, they can just e-mail me and I'll add them to the list later. It is somewhat inconvenient, but better than getting 10 IMs a day telling me to go to porn sites.

There's a middle ground, which is asking for your authorization before it shows the IM window, but I never found this to help - it was always too tempting just to click the "see message" button to see what they were sending me. So that didn't really help much.

Re:Meh, relatively easy to get around.

[gvonk]

See, what I prefer is the Trillian plugin I've got that offers a challenge/response for anyone not on my buddy list, and it is completely customizable.

Mine just says "What is my first name?"
If they get it correct, they can send me a message. Wrong, and they can't... Pretty simple.

Now, if someone does a dictionary attack on me and brute-forces their way to my name, I'm in trouble...

Re:Meh, relatively easy to get around.

[AnyoneEB]

The problem with auto-replies is that someone that's trying to be annoying can make lots of screen names and warn you to 100% when are you at your computer.

User reporting

[Aneurysm]

Last year I had a lot of spam from users on AIM, it stopped after a while, but I got a few a day for a few weeks, before it tailed off. I haven't had an unsolicited message now for over a year. The point was that the ignore lists didn't work, because although it was presumably the same spammer, or group of spammers, the screen name was never the same twice. I think what programs like AIM need is a one click button, that marks the person as a spimmer. If say 5 or 10 DIFFERENT people mark the same user they could be marked as a spimmer, and AIM could be set up to automatically ignore IM's from spimmers. Very similar to the warning level, but subtely different, because the warning level controls the spimmmers send rate, whereas this method puts the control in the hands of the people on the recieving end. You could also allow people to alter the spimmer level they accept messages from.

Stopping sp(a || i)mmers...

[AVee]

Email spam is getting filtered and blocked more and more by email users and ISP's. Gives a lot of hassle. This makes email more and more a ineffective medium for spammer. The people that don't have their email filtered are switching to IM because the anount of spam they get with email.
It's sad, but just logical that spammers will switch to IM. We should stop trying to stop spammers by technological means, they will find ways around it or we will end op with a hardly usable messaging system. What we should do is find ways of taking the profit away from them. Either by educating people not to by spamvertized products, by sueing their ass off or just 'SlashDot' them in some dark alley. As long as it possible to make profit from spam ther will be spammers...

Re:Stopping sp(a || i)mmers...

[Dmtalon]

What we should do is find ways of taking the profit away from them. Either by educating people not to by spamvertized products, by sueing their ass off or just 'SlashDot' them in some dark alley. As long as it possible to make profit from spam ther will be spammers...


This is what I've been preaching for a while to anyone that will listen. Spamming is around for one reason, and one reason only. "It works" How do we stop it, simple... We break it.

Other unwanted forms of avertising

[dgenr8]

SHAM = Commercial messages delivered via amateur radio
SPANK = Commercial TV in the classroom
SPUD = Commercial crop circles, especially in potato fields
SPELUNK = Advertisements on cave walls

not smart vs dumb

[kisrael]

Even without the providers assistance, many people who use IM systems are smart enough to limit incoming messages to those from their buddy lists.

Yeah, but it's not a matter of smart vs. dumb; it's also concerned about SPIM enough to take that kind of step vs. wanting to be open to chatting to new people. Part of the promise of the Internet is making NEW interpersonal connections, and having to establish contact outside the communication form in question is a huge drag.

I suppose there might be some tag that lets you launch AIM or whatever via a browser, but luckily it's not used as much as mailto: , so it's less trivial to harvest these addresses. Also, since userids are generally small, and don't come bundled in some obviously reg-exable form like URLs and email addresses do, there is less harvesting going on.

I've been using AIM (hi, I'm kirkjerk) since the late 90s, and only every once in a while is there any SPIM. There was a time when I'd get one or two a day (suspiciously, generally right after I came back from idle) but now its one or two a month. When I tried ICQ in the late 90s, it was more of a steady flow.

Obviously...

[scovetta]

You have how many users on AIM and Yahoo combined? 50 million? I don't know, but it has to be around that many. Even if 1% allow IMs from "anyone", that's a nice target base. Not to mention that, but the harvesting of IM-screen-names is starting to become serious-- how many times have you clicked on a link in someone's profile? That damned %n may be the death of us all. Of course, the answer is to just not allow IMs from people off of your list, but this just goes to show that we NEED some legislation that will take the "low-risk" out of sp[ai]mming. California has done a good start, but we need something to start with. Yes, I know that sp[ai]mmers are acting in many ways illegally, but there isn't much precedent for me tracking down a spammer by affiliate ID on a V1agra site and suing him. Maybe that's all we need...

AIM has "Warn"

[harks]

Could this problem be solved with use of the "Warn" feature? Spimmers could change their screen name and keep spimming, but the warn feature could be changed to warn an IP? If it already does, just warn the spimmers and they won't be able to send out messages nearly as massively as email spammers.

Good old CompSci days ...

[mumblestheclown]

frankly, i never thought that the MIPS Simulator was that much of a headache. I mean, the instruction set was pleasantly simple.. a toy, really.

Strangers are just spimmers you haven't met yet..

[Channard]

.. which is why using the 'hide name' feature on AIM or whatever your using solves the problem rather neatly. Anyone who you want to IM with can still IM as long as they know your name, but casual browsers can't see you.

Re:Easy to block spim when I'm on the computer but

[diersing]

Turn your phone off. I'm curious though, why would you need IM's that bad?

Disconnect, take a shower, read a book, you don't have to be *connected* round the clock, if some friend needs you that bad, use your phone the way it was designed and have them call you.

You forgot . . . .

[Anonymous+Poodle]

SPUNK = Pr()n ads

Damn!, I thought she was realy interested in me

[thbigr]

I thought here invitation to check out here personal web site was a big come one. Sure the request for a Visa card seemed kind of strange, but then other girl friends I have had ask for my Visa card.

Hmmmm....

counter-spamming

[Stephen+Samuel]

I currently still think that the best way to counter spam, right now, is to attack their business model. Right now, that consists of convincing poeple to actually start responding to spam by providing them with bogus infomation (random addresses and phone numbers, void (old or auto-generated) credit cards, etc/).

My idea is to drown them in bogus data so that they spend more time and money responding to bogus responses than they would with old-fashioned cold calling. It would also remove the advantage of increasing spamming volume because the spammer with the highest volume would also get the most garbage responses.

Thoughts?

Perpetuating the myth - creating the market

[Claws+Of+Doom]

"Still, there must be enough of a success rate to move spimmers to continue messaging users." I disagree. There must only be enough perception of a success rate for the spammers to be able to charge advertisers a rate high enough for them to turn a profit. Such throwaway comments only add to what is a growing problem. Darnit! I've gone and done it now!

Re:SPAM by any other name

[shockwav1]

Yea, that's great until you start getting competitors DoS'ing each other... ie. Microsoft hires a spammer to send out spam advertising Sun's products. All of a sudden you've got innocent companies getting sued and/or shut down for the actions of a third party.

SCO says SPIM is a derivative work...

[Proudrooster]

Today SCO announced the SPIM is a derivative work using the login that they SPIM begins with the letter 'S' (just like SCO). Darl McBride CEO of SCO announce that they would not take this lightly and were planning on sending threatening letters to anyone who sends or receives SPIM and to anyone with a name that begins with 'S'.

Boycott SCO and SPIM!

Just Bill or Stall the Spimmers

[G4from128k]

Network providers could prevent Spim by letting IM recipients the power to bill or stall a Spimmer's account. For closed subscriber-only networks, the network provider could give IM users a "bonk-that-IMer" button. Each time a Spim appears and the recipient hits the "bonk" button, the Spimmer's account gets a $0.25 charge or is prevented from sending another IM for 30 secs or a minute.

Billing Spimmers would be a good way to raise revenues, but would be a nightmare for anyone whose account was highjacked. Stalling a spimmer's account might be a better way to make spim too labor-intensive to be useful (although maybe spimmers would just outsource to India or China and pay people $1/day to slowly send spims).

Re:Obscenity through Obscurity - Hoopla!

[dipipanone]

Is it obscure? I suppose it depends on which part of the world you live in? When we did Canterbury Tales at 'O' Level, this was always our favourite part.

Now, gentleman, this gallant Nicholas
One day began to romp and make a pass
At this young woman, in a mood of play,
Her husband being out down Osney way.
Students are sly, and giving way to whim,
He made a grab and caught her by the quim
And said, 'Unless I have my will of you
I'll die of secret love -- O, darling, do!'
Then held her haunches hard and gave a cry
'O love-me-all-at-once or I shall die!'

The Miller's Tale, Geoffrey Chaucer

Even AOL Spims!!!

[mokolabs]

A few weeks ago, I got spimmed by someone promoting the new version of AOL 9.0.

Sadly, I deleted the chat log just a few days ago, but here's a rough recollection of my conversion with AOL's marketing gimp:

archer97: downloaded 9.0 yet?
mokolabs: nope
archer97: it's pretty sweet
archer97: check it out
mokolabs: no thanks
archer 97: it's a big upgrade
mokolabs: do i know you?
archer97: lol
archer97: no

Has anyone else run into this? I'd love to spin this story back at AOL (who apparently approves of spim as long it's the one spimming).

SPIM?!

[ndogg]

I know that MIPS assembly can be tough to learn, but never thought CS students would ever get to the point of annoying people on the internet with it...

Oh, err, nevermind...

Re:Where they probably get your screen name

[adzoox]

I'm sure they harvest from places like /. as well.

I've been getting "botted" lately. It's where you'll get this message that says something like:

"I liked what sent me"

You reply and it says:

"So what are you up to?"

Based on your reply - it will "sense a mood" but the reply won't make any sense

Then it sends a link saying you've been talking to a bot - download it (link)

I think a way to stop some IM spam or SPIM, as this article is calling it, is to prevent URLs from IMs. That way, if someone were getting around it, you'd know. They'd have to spell it, like they do in personals ads.

"Visit my website at double u double u double u dot horny dot c.u.m"

I send this message, eventhough it probably does little good, if I suspect SPIM:

"Just to let you know - if you are an IM spammer ... I have a new IM client called FIRE - it can send four viruses directly through IM if you respond. You are low life scum...otherwise hello.

Flashback...

[buddha42]

One thing is for sure, if they could get the spim's out, they would work.

digging deep into my 14-year-old-loser-in-his-parents-basement history, I remember the days when you could run a "phish"ing program in AOL. It would scrape the screen names from a couple dozen chat rooms, and mass-IM them a message saying "AOL billing has lost your password, just reply with it or your account will be disabled". I know we're talking about aol-ers here, but those retards would reply about 1 in 50. Eventually AOL added little red text to the bottom of every IM saying "we will never ask you for your password" but even then it was still very effective to just IM about 2000 people. The thing is, it only took three people "reporting" you for your account to get disabled.

So AIM now seems to have this mostly under control with the rate-limiting. Getting people's IM names will happen much the same way emails are harvested, forums, personal web pages, etc.

Here's an annoying little brain teaser. Imagine every ISP had standardized on something like Jabber and we didn't have this proprietary mess we do now with AIM/MSN/Yahoo. How would we provent spim then? Wouldn't it be just as subject to being raped as SMTP?

Re:Strangers are just spimmers you haven't met yet

[dasmegabyte]

I use IM to do customer support with clients and prospective clients. I can't hide myself away without running the possibility of missing somebody. IM is, for me, mission critical and part of that is unfortunately keeping myself wide open.

Good news is, I don't maintain a profile. I hazard that's where spimmers are harvesting their addresses, because my IM screenname is ALL OVER the website yet none of my work IM accounts has ever gotten. My home account has gotten them...it has a profile, too. There's no real reason to have a profile unless you're looking to meet new people over the client...and it looks like some of those new people want me to check out their new porn websites.

Semi-offtopic ... but ... audio spam

[eggmit]

In the last few days, I've started receiving audio spam while browsing the web. Each time, it's been a 30-second ad for the movie Timeline that played in the background, and continued to play even after I closed all (Firebird) browser windows.

Any thoughts on blocking this? The fact that it continued to play makes me wonder what's going on.

And this is the heart of the problem

[shawn(at)fsu]

Still, there must be enough of a success rate to move spimmers to continue messaging users.

You could almost guarantee that if no one clicked those popup adds or if no one responded to Spam then the Spammers wouldn't send it.

I mean a few companies would use their advertising budget for spam, waste it all because no one that it reached bought anything and that would be the end of it. Other companies would learn form those failures.

But that isn't happening. Obviously allot of people respond to this advertising right?

Maybe Spam is just another example of our society attacking the symptoms and not the cause.

Not that I am defending Spammers I hate them and I hate the people who respond to the Spam just as much if not more so.