Anyone who is an active Twitter user has probably experienced the new frontier of Twitter spam: mysterious users suddenly ‘favoriting’ your old tweets. Sometimes, you see this behavior three weeks or more after you sent the original tweet.
You know it must be spam of some kind. And usually, a quick examination of the sender reveals a link in their bio that they want you to click. Or, sometimes they rely on users who will follow an account that favorites a tweet, hoping to send a dangerous URL by direct message later on.
First of all, why use the ‘Favorite’ action for spam? Because it’s a click-generating tactic for black hats that has few downsides. From a self-described “black hat” site:
We are making a bot right now that will allow you to load in accounts, set delay, rotate accounts after every said amount with proxy support etc…
The beautiful thing about this….after some testing I have done with just 2000 favorites (took 2 days on 1 account) the accounts get about 10 followers per thousand with tons of hits from your profile url…..and it doesn’t look spammy (having 2,000 followers and 25 following back like TA) and the account is still live.
Nobody knows how many times you have favorited something.
This is going to be sweet.
Unlike the older methods of “mention spam,” favoriting a tweet leaves no evidence in the spammer’s timeline for users to spot, and unless they overrun the limits that Twitter imposes (a very generous 1,000 favorites per account per day), they can stay under the radar long enough to achieve their goals: hits on links and follows from unsuspecting users. With even a few dozen accounts (too few probably to cause Twitter to notice), they can touch tens of thousands of Twitter users each day.
But there is something else to notice about the quote above: the “black hat” attitude. Though misguided marketers once used some of the bulk communications methods we now call “spam,” they have for the most part moved on to better ideas, leaving only the “black hats” to the field. This approach to bulk outreach is a Mark of Cain that not only impacts how “black hats” think, but also carries through to the techniques they use. And it leaves evidence.
Evidence like the gap between the time of the tweet and the time of the favorite. Normal users don’t favorite things they didn’t see live, or at least within a few days of original delivery. To favorite something that was sent weeks ago, you have to be running an automated keyword search (probably using a browser automation tool like iMacros, commonly misused for this among black hats). Because a normal user doesn’t have the patience to scroll backwards through weeks and weeks of old tweets looking for things to favorite. Only a machine can be given that job. That’s a dead giveaway.
Evidence like favoriting things from accounts that have no natural conversational history in them. Because building a natural looking conversation history would be time consuming and expensive, two things that are anathema to black hats looking for a quick score.
And that’s only for starters. The “black hat” attitude gives us many, many ways to differentiate the fakers from the real users, and all without examining the content of the messages.
At Meshfire, we study spammer behaviors so that we can help you focus on the most valuable, real people on Twitter and spend as little time as possible hassling with the fake accounts that sap your energy and reduce your influence.