What spammers want, how they do it, and how to prevent it

26- O que os spammers querem, como o conseguem e como os impedir

Spammers are a regular occurrence online and, sooner or later, you’re likely to have to deal with them. However, even though they are so prevalent, many people have little to no understanding of how spammers get to their website, let alone what they want from them.

In this brief guide, we’ll tell you exactly what methods spammers use to reach your website, what their true intentions generally are and, most importantly, how to prevent them from ever getting to you.

How do spammers find you?

There are many ways spammers can attack your website. Occasionally, it’s a directed attack specifically towards you. More often than not, though, they resort to using spambots that automatically gather an exhaustive list of targets.

Spambots generally reach their targets through the use of specific keywords. For instance, if they’re intended to strike at a site that uses Drupal, the spammer will include relevant, Drupal-related keywords, after which the spambot will crawl through the results and gather the first few thousand addresses to use as targets. It’s important to note that certain terms are specific to a certain type of website (e.g. WordPress blogs generally include the term “Proudly powered by WordPress”) or content (e.g. “Leave a reply” right before a comment section) and therefore, if left unaltered, serve as obvious indicators of the platform in use for spambots to locate. Such terms are called ‘footprints’ and range from text footprints or URL footprints.

Even when the platform itself is not immediately recognizable to a spambot, there are various ways they can detect and leave comments, such as by a brute-force attack whereby they test various methods to see which works on your comment system, so even avoiding footprints is not enough to deter them, although it does help.

What do spammers want?

The main motivation for spam is profit. Spam tends to be very lucrative, even when spammers are just peddling questionable products. That said, there are worse ways that spammers use for financial gain.

One such way is phishing, that is, to get sensitive personal information, such as passwords or credit card information, from the user, by pretending to be an important or official source, such as a bank or an IT manager, or promoting a fake offer to grab the user’s attention. With the popularity of social media, there are even phishing techniques focused entirely on creating authentic-looking posts for this exact purpose.

Another possible motive for spam is to turn your computer into a zombie. In computer science, a zombie is a computer that has been infected by a virus or a hacker and is now controlled remotely by the attacker, without the user being aware. These infected computers are then used for malicious intent, such as by being used to orchestrate distributed denial-of-service (DDoS) attacks or even to spread more spam online via e-mail spam, ultimately getting more profit in the process.

There are also spammers that seek to add links back to their own websites or to misleading offers, in a misguided attempt for higher search engine ranks to those websites. These attempts at linkbuilding are non-recommended SEO tactics that are frowned upon by Google, as they are attempts at tricking both search engines and users by dishonest linkbuilding.

Whatever the case may be, spam ultimately boils down to malicious intent, either towards you, your site or your users.

What can I do to prevent spam?

Essentially, methods of preventing spam are divided into two categories: those that affect the user experience and those that don’t.

Methods that affect the user experience usually involve some sort of anti-spam step in registering or commenting. Arguably the best known examples are CAPTCHAs, which many websites rely on to stop spammers. However, CAPTCHAs are not foolproof, with more advanced spambots using OCR (optical character recognition) to turn CAPTCHAs into text. There are even dedicated ‘human farms’ where real people are paid to solve CAPTCHAs for spambots. Besides that, these methods also add a degree of annoyance for the user that damages the user experience on your website, although more modern solutions, such as reCAPTCHA, are simplifying this process and removing much of the hassle.

Methods that do not affect the user experience address the ways spambots reach and interpret websites in order to prevent spam. These preventive measures operate by reducing the aforementioned footprints in websites, for instance, by altering the titles used for comment fields (e.g. “Say something” instead of “Leave a reply”), outright removing the terms that spambots use to identify platforms and vulnerabilities, and even altering URLs that are associated with certain website types (e.g. “/users/” in Drupal, “/wp-admin/” in WordPress). There are also anti-spam websites that provide tools or even extensive databases of known spammers and their respective addresses in order to help you block them on entry. Overall, these methods generally have less of an impact on user experience because they’re essentially unnoticeable by users, but hamper automated spam methodologies.