frostsparks

Frost Sparks

@frostsparks

"They just won't stay dead!"

  • they / them

Minecraft! Ponies! OC! Coding! Stories! "Philosophy"! What will I post? When will I post? Who knows!

log inask
frostsparks
@frostsparks
Bigg
@Bigg
cathoderaydude
@cathoderaydude

something bewildering happened to me the other day: i got an ad in my comments. someone wrote a spambot for cohost, which found a post i'd written that Mentioned a Videogame, and replied to it with a recommendation to go do online gambling. and i can't stop thinking about it.

because like, it's not the beginning of the end. cohost is just bad at propagating advertising; I'm the only person who saw that post, so it's astonishing that they even bothered. Writing a bot, let alone paying a human to scrub the site and manually post ads, is not worth it. Yes, we've all seen ads in incredibly silly places, but this is not like any other website in existence.

The entire scam economy of the internet, the background radiation we've all become completely accustomed to, is based on a set of design principles that have been common for decades. Websites want to surface user contributions, they want to highlight how Popular an article is, or highlight the comments below it, because it drives further engagement and increases search rankings and all this other bullshit that, eventually, makes them sell another sidebar ad.

Because every website is SEOed up the ass, and because billions of people are using google at all times and (apparently) just randomly clicking on everything that comes up, the minimum hitrate on any website is just phenomenal. If you write a bot that posts keno ads on any website, it is going to get seen by thousands of people. If four of them are clueless enough to fall for your shit, it paid for itself.

But the whole thing hinges on mass visibility. Most people are actually not stupid enough to click on anything in a banner ad! No matter how dumb we think the unwashed masses are, they really aren't; it's just that there are so, so, so many people, moving so fast, that if .05% of them are feckless enough to click on an obvious fucking lie, that still ends up being a couple dozen purchases. Enough to pay for the scam.

Spam works because they are emailing an unimaginable number of people. If you have to spend $30 to rent a VM to send all these emails, but you con just one person into sending you $200 - you won! But it only works if you have millions of hits, tens of millions of pairs of eyes.

You can't get millions of eyes here. It's impossible; the website doesn't have millions, and even if it did, there is simply no way for that comment to ever surface. You can't even rechost a comment! The only person who EVER would have seen it is me, and maybe someone who happens to find my post and manually click on comments and read every single one of them. I bet in ten years, that ad would have gotten 200 views, and it's statistically probable that all 200 of them would have rolled their eyes and reported it as spam.

It wouldn't have worked as a chost either. Even if they'd somehow dressed it up in a more convincing lozenge, nobody would have rechosted it, and even if they did, it never would have spread more than two or three degrees away from my account.

Cohost is simply structurally incapable of supporting spam. And that doesn't highlight how special Cohost is; it highlights how fucking pathological the rest of the web is. We're on year 15 or 20 of every single website being exploitable in this way, every site being a megaphone that someone can grab. Maybe they only get it for 3 seconds, but in that brief moment they manage to shout "COME TO KINGS DIAMOND CASINO 3RD AVE FREE PENNY SLOTS 2-3 PM TUESDAYS", and the reach of that megaphone is so vast that some unbelievable fucking dipshit in the audience goes "oh sounds good i should hit that place." And this is why everything's bad; this is why every website is unusable, because every single one makes itself a viable target for fucking arbitrage, the kind of fraud committed by stealing a thousandth of a penny ten million times.

Cohost effortlessly avoids being a megaphone through simply not including features that are largely unmissed except by people who want to exploit you en masse. Maybe, just maybe, there's a lesson here.

You must log in to comment.

in reply to @cathoderaydude's post:

noa
@noa

it was like 10 years ago when phpbb forums were putting "what's one plus one" questions in their sign up forms because spambots were crawling the internet and automatically sign up for accounts. that might be a less popular way to make spambots today because so much is centralized, but you still see spam comments on random small websites no one's made a bot for when they don't require sign in. completely possible there are bots that try to make accounts.

login to reply
fluffy
@fluffy

Yep. I get so many attempted spam comments on my site, which uses an extremely obscure comment system that also requires Javascript execution to work, which tells me that it might even be humans being paid to manually do this shit from developing-nation sweatshops.

Every single one of my website's comments is moderated so it's not like anyone sees them except me, but it's still annoying that I have to see them.

login to reply
noa
@noa

Cohost is simply structurally incapable of supporting spam

unfortunately, asks could be a resonable target. and also if cohost exists long enough and gets big enough to have account takeovers like discord, spammers could post from accounts with followings

we're safe for now, but if discord can have spam in servers that just have friends, cohost can have spam too. i don't think cohost is structurally incapable of having spam, it's just not a big enough target.

login to reply
cathoderaydude
@cathoderaydude

but how do you get the list of users to ask? Cohost doesn't offer any convenient way to get a list of many users, nor is it easy to start from one point and find people from there. There are no following or follower lists, so even if you try to automate it, all you're going to get is a handful of names per user scraped out of their comments and rechosts

The network effect here is so weak compared to a site like Twitter. You could maybe come up with thousands of names, but I don't think any of these scams work with thousands of participants, you need hundreds of thousands, millions, tens of millions. Otherwise you just not likely to run into anybody who will fall for it.

login to reply
cathoderaydude
@cathoderaydude

Oh and of course they could do it anyway, but why spend the effort when the results are going to pale in comparison to virtually anywhere else? I think you could get more people hooked on gambling by spamming the Yahoo news comments for 3 hours then if you spammed cohost for 2 years. And it's not like it's totally free; staff is going to find the IP and ban it, and then somebody has to move the bot to a new IP, and after two or three repetitions they're just going to go, why are we bothering?

login to reply
noa
@noa

lists of users from going through tags and saving every username you come across, or fully scraping every link like google. or if you have hijacked accounts, taking their entire follower & following lists. but yeah if there aren't enough users it isn't worth it.

login to reply
chamomile
@chamomile

I don't want to be a downer here, but doesn't this kind of counter your thesis?

Because every website is SEOed up the ass, and because billions of people are using google at all times and (apparently) just randomly clicking on everything that comes up, the minimum hitrate on any website is just phenomenal. If you write a bot that posts keno ads on any website, it is going to get seen by thousands of people. If four of them are clueless enough to fall for your shit, it paid for itself.

The point for these bots is rarely to target the actual userbase of the website they're spamming. They just want to piggyback on someone else's good search rank so that their name comes up first when someone Googles "online poker." For that purpose, it doesn't really matter if Cohost is anti-viral internally, as long as Google indexes it.

In my experience moderating small-time forums, these kinds of spammers, once you're on their radar, become a persistent annoyance - possible for a small team of moderators to play whack-a-mole with, but always there.

login to reply
cathoderaydude
@cathoderaydude

I'm not saying the Google traffic is necessarily what gets the ads clicked on, it's just what drives the website design to be so dark-pattern-heavy.

  • Google ranks the site based on how active it looks
  • Thus the site operator puts comments on every single page and surfaces them as high as possible so that every page looks active
  • This pushes the site up the rankings and drives more visits
  • The visiting users see all these surfaced comments, and that makes them stay Engaged and continue exploring the website
  • Thus they see many other Popular posts
  • So the bots are designed to put ads under every Popular post
  • So if you go even slightly Viral on twitter, you get 50 bots posting ads for shitty ceiling planetariums under your post.
login to reply
chamomile
@chamomile

Ahhh, I see what you mean then. Website operators are encouraged to increase visibility of everything which boosts spam too.

So I guess my understanding of it is that at least from the spammers' point of view, all that isn't actually necessary, as long as the target site has a good search engine rank and their posts/comments are indexed. They don't need a single user there to see their comment as long as it shows up on Google to someone looking for that, or that the simple association boosts their own search rank.

Now, I'm not sure if that still works anymore. It's been a tactic for a very long time, so it's likely that search engines have at least tried to combat it. But as long as spammers think it does, they'll keep trying it.

login to reply
Pinned Tags