Is TwitPic Becoming Twitter’s Newest Spam Source?

TwitPic is one of the most popular ways to share photos on Twitter, but is it giving spammers an easy way to send you unwanted messages?

Spam in Twitter is simpler (but arguably more sophisticated) than good-ol’ email spam; instead of getting an unsolicited email full of FREE V1AGRA links, you’ll instead get a short, tantalizing message with a shortened URL attached. Shortened URLs are the perfect delivery for spam links – many users have grown so accustomed to blindly clicking them that they don’t consider the link’s source. [We previously wrote a guide about expanding shortened URLs.]

Even though Twitter has long-suffered from spam problems – it’s quite easy for a malicious user to create dozens of fake accounts to send messages – they’ve always taken an aggressive stance against unsolicited messages with tools like their @spam account and Block and Report Spam links on user profiles. But my recent experiences have made it clear that spammers are finding new ways to breach the popular social network through third-party connected sites like TwitPic.

When a picture is uploaded to TwitPic, other users have the ability to post comments on it. These comments are then sent directly to the person who uploaded the picture as an @ reply on Twitter, giving spammers a simple way to hit you with messages while avoiding using Twitter.com or the Twitter API directly.

Here’s an example of a spam message on one of my TwitPic pictures:

Which is immediately sent to my Twitter account:

As you can see, I’ve been getting spam on almost every picture I’ve posted to TwitPic recently. After expanding the bit.ly shortened URLs in the messages (this can be done by simply adding a plus sign (+) to the end of the URL), the source URL was revealed to be a spam URL offering free iPhones in return for all of my personal information. Gross.

Even though these accounts didn’t last long – Twitter blocked them almost immediately, as shown in the picture below – there still were dozens of accounts sending unique spam messages simultaneously. Even if they only send a few messages each, the scale of the operation suggests that many of these messages reached unsuspecting users who may have clicked the links, and studies have shown that even with terrible conversion rates, spam can still be mind-blowingly profitable.

So far no comment has been made by Twitter or TwitPic regarding this new type of spam. If you ever receive a suspicious message with a link on Twitter, follow these steps:

  1. Expand the shortened URL. If it’s a bit.ly URL, you can simply add a plus (+) sign to the end of the URL to reveal its source.
  2. If the URL doesn’t look familiar to you (tell-tale sign: ends with an uncommon domain name or has a lot of random characters), do not click it!
  3. Check out the profile of the user that sent you the message. If it looks like they’re sending the same type of spam messages to others, click the Gear icon on their profile and select Report for spam. This will automatically block them so you’ll never get a message from that account again.

A Bigger Problem

Spam on my personal TwitPic account isn’t a big deal overall, it’s just an irritation for me and spammers aren’t making much money off the 50-200 views my pictures get. But my suspicion is that the annoying spam messages sent through Twitter aren’t the goal, the real goal is to get those links posted to the TwitPic photo page of a popular user.

Think of it this way: if spam like this is posted on a celebrity’s TwitPic photo, the resulting tweet sent to them is inconsequential and nobody will notice. The message posted on their TwitPic photo page will be noticed though, and if it gets posted early enough so that it is on the first page of comments, every person that checks out that photo could potentially click it.

A TwitPic photo from Britney Spears which was posted 6 days ago already has 2.5 million views at the time of this writing. If a spam link was posted on this page, it won’t be removed when the spammer’s Twitter account is suspended – those messages are cached independently on TwitPic. TwitPic also has no restrictions besides having a valid Twitter account, so tools like captchas or post limits aren’t present to slow spammers down.

We may have a big problem here, and the engineers at TwitPic need to do something about it soon.

Update 1: Check out the comments for a response from a TwitPic engineer – it looks like they’re working on a solution.

Update 2: I received a response from TwitPic founder Noah Everett confirming that a fix is on the way:

We’ve been working on a better spam filter the past few months. Before we were monitoring and purging this manually and as we grew, the spam did as well, which is an unfortunate side-effect of growing.

Our new spam filter which we hope to have out this week (ironically before I saw your article we were talking about launching it today) will be much more intuitive. Spammers have been using url shortening services like bit.ly to hide the true url, but now we translate shortened urls into their real counter-part so we can make a better automatic spam decision. The new spam filter will also look for spam patterns to use as a blocking mechanism.

Once we get this launched we’ll keep tweaking it to catch more and more.

Image courtesy: Matt Lavery on Flickr