When Social Spam Attacks, Part 2: Common Prevention MistakesWritten By: Mark Risher
Dec 21, 2012 • 9:00 am No Comments
In “When Social Spam Attacks Part 1” I covered the common mistakes that site owners make in their initial response. Now, let’s talk about the days, weeks and months after the initial attack. When the smoke clears, the web team gets together to decide how to prevent the next incident. But time and again, we see the same mistakes being made on the planning front. Here is what I’d consider the top three:
- Build user authentication barriers: Implementing solutions like CAPTCHA, strict rate limits, or broad blacklisting can theoretically stop some of the bad guys from infiltrating your site. Unfortunately, they aren’t foolproof. Take CAPTCHA for example: sure, most bots can’t solve them, but spammers have figured out a way around this – outsourcing. By hiring people in India or China, scammers can bypass these CAPTCHAs, paying as little as 80 cents per 1000 deciphered boxes. And moreover, these barriers come at the risk of alienating your most valuable users. Our studies show a minimum of 10-15% decrease in engagement when CAPTCHA is enforced.
- Design site features defensively: In addition to authentication barriers, attacks make web designers more conservative. Suddenly, everyone is thinking twice about adding social media engagement features in fear that they will be compromised. So they skip the features, turn off UGC because of the risk, or worse, build to “guilty-until-proven-innocent” standards. Though these steps will reduce spam attacks, they’ll also decrease web visits and cripple user engagement. The more engaging your site is, the more valuable it becomes to visitors. So rather than designing features out of fear, start first with the user in mind, and then consider the best ways to prevent abuse around that.
- Fail to design an abuse response plan: We estimate that less than 1% of web managers have plans for outages. And even if they do, we’ve seen numerous situations where, in the midst of an attack, they fail to implement it, instead responding ad hoc. I can’t stress enough the importance of planning and implementing preventative methods. Just think for a moment about what you’d do in the case of attack. Do you have a plan? Do you have a list of your most trusted users, so you could ensure they receive uninterrupted service? Do you have filters in place that can be dialed-up in the face of an attack? Do you keep some defenses in reserve, which can give you the necessary breathing room to plan your next move? These are some of the questions that we ask our clients and prospects.
Defense against scammers and malicious users is an ongoing struggle. The best thing you can do to protect your website is to have prevention methods in place – the more thorough the better. Websites with a researched plan don’t need to go into crisis mode in the face of an attack.
Mark Risher is CEO and Co-Founder of Impermium. As the former “Spam Czar” for Yahoo!, he has regularly presented worldwide to government, industry, and consumer groups about spam, abuse, and cyber security issues.