Don Marti

Fri 09 Oct 2009 07:21:06 AM PDT

What's wrong with dead profile pages?

Why should a community site worry about spammers making accounts, if they're not commenting to create inbound links to their profile pages? Everything looks clean from up front, but you just happen to have a bunch of users who are in the pharmaceutical mail-order business. But after making their profiles they never post anything on your site, so they're pretty much invisible to you.

This is a pattern that's starting to pop up pretty frequently. The reason is that bloggers who accept comments are starting to block outgoing links to obviously hinky sites. But if example.com is a trusted site, and a spammer can make a page under example.com/community/, then comment spam linking to that will get through.

Spammers find these "community" sites long before the legit users do.

Best for the spammer is when example.com installs software for its "community" section that will let JavaScript or meta tags through. Then the spammer can just refresh the page on example.com and take the user straight to the spammer's real domain.

Now that this trick is out there, the authors of forum software are going to start including a feature that lets you make new or untrusted profiles available only to logged-in or trusted users. But by the time people get that working, there will be another trick. What we need more of is spam-aware software architecture.