timwhitlock.info » twitblock

TwitBlock introduces blacklisting

tim — Wed, 17 Nov 2010 17:18:04 +0000

TwitBlock is over a year old now. One thing we have tried to avoid is being an authority on what is and isn’t spam. We have deliberately avoided blacklisting accounts. The idea has always been to empower the community to collectively decide what is spam by bringing the most likely junk accounts to the surface. We provide some very simple analysis, and indicate how many other people also think an account is spam.

A blacklist is now in effect

For reasons that I’ll explain below, we have decided to implement a blacklist system as of today. Blacklisted Twitter accounts always show up with a 100% confidence score and will appear at the top of scan results. You can still see the standard spam score indicators, as the screen-grab below shows.

Who decides what accounts are blacklisted?

Currently myself, and selected other people that I deem trustworthy. We take this seriously and won’t just blacklist an account for being annoying, or noisy. We roughly follow Twitter’s own guidelines on spam, and only blacklist accounts we are certain are malicious, fraudulent, or extremely distasteful.

If you would like to be an administrator, let us know by way of a tweet.

If you think you’ve been blacklisted unfairly, let us know by way of a tweet also.

Why implement blacklisting?

The methods we’ve used to date have worked reasonably well, but a distinct problem has been that if you block spammers on other site, it can take us several days to catch up with that data. Spam accounts can collect thousands of followers in a very short space of time, and do a fair bit of damage before they start to show in TwitBlock scans.

Finally prompting the introduction of blacklists was my observation of the recent Facebook scams. One fake Twitter account was offering invites the new messaging system, another offering Facebook credits. I watched these go viral, racking up 2,000-3,000 followers each before they were finally suspended after about 36 hours.

Even if Twitter were investigating these accounts, no warning was issued via their spam and safety accounts. The fact that these accounts were imitating such a well known company should make them a high priority, as they were far more likely to fool people. In the case of Facebook credits, financial fraud may have been involved.

It is clear that Twitter cannot act fast enough in shutting spam accounts down. If they were to show up in TwitBlock scans sooner, they would be reported by more users. Then perhaps Twitter would notice them sooner, and shut them down faster.

Spam on Twitter doesn’t bother me

tim — Thu, 21 Oct 2010 13:29:59 +0000

One of the most common things people say to me when I tell them about TwitBlock is along the lines of “I’m not bothered by spam on Twitter” – “I just ignore it” – “Why should I care if a spam account is following me?“.

It’s a totally understandable point of view, but my response is usually that there are certain entities that have no place in our online communities. Whether this invades your personal space or not, every opportunity should be taken to render it ineffective for the benefit of everyone.

If these junk accounts didn’t experience some level of success they probably wouldn’t bother, so somebody somewhere is falling for it. If you’re smart enough to know how to deal with spam and avoid the pitfalls, then perhaps you should use that knowledge for the benefit of others.

If you see a bikini clad model looking for ‘friends’ and it turns out she is trying to sell you counterfeit watches, ask yourself whether this ‘person’ has a place in your online community. You could ignore them, or you could report them with a single click.

Of course there are boundaries as to what we should consider harmful. A small business employing questionable tactics out of naivete or misguidedness is on the other end of the spectrum from a phishing attack designed to separate you from your credit card number. If you’re in any doubt as to what kind of things to look out for, Twitter’s own definition of spam is good start.

Below are the results of my twtpoll on the subject

Twitter changes break TwitBlock [again]

tim — Sat, 19 Sep 2009 19:43:58 +0000

Last week a another change to Twitter caused me problems with my personal project TwitBlock. For the impatient, see my Google groups post about it. (It didn’t go down very well).

If you’re a Twitter user, you’re probably familiar with this image:

It is/was the default profile image for users that have not uploaded a custom avatar. You may also have noticed last week that Twitter has introduced a new version. Actually they they made seven of them in different colours:

At least I think they made seven; I can’t find any more, but I can’t find any official document stating how many are out there either.

So what?

So … TwitBlock crawls Twitter for duplicate profile pics to help identify spam accounts. The app needs to know what images are the default ones, because otherwise it will penalize people heavily for having what appears to be the same image as thousands of other people.

This relies rather delicately on factors that are liable to change and that aren’t strictly a part of the developer API, so I have to keep a close eye on things. I concede this is not a very robust solution, and I certainly wouldn’t base a commercial product around such weak “technology”. In fact I’m not sure I’d base a commercial product around Twitter at all.

I get a lot of emails and DMs from people telling me that they’ve received errors using TwitBlock. Almost always this is due to the Twitter API failing to respond – either timing out or sending back some HTTP error. It’s quite embarrassing, and I can only imagine how much worse this would be if people were paying for a Twitter-based service.

A Twitter app doesn’t just rely on the API, it relies on everything that makes up the Twitter service. This includes its full feature set and its hardware infrastructure. I am of the opinion that the above-described profile image change was significant enough that Twitter should have documented the change in advance. Facebook do a good job of addressing the community far in advance of changes, and I think this is yet another indicator that Twitter is out of its depth.

Diluting Block Counts

tim — Mon, 24 Aug 2009 21:42:02 +0000

I made a major change to TwitBlock the other night. The change was made to protect people who are heavily blocked, but are not “spam”. Of course that depends on your definition. (A topic for another day)

Originally each block on account would yield 10 points. Then I became aware of just how murky this issue is. Barack Obama is blocked by many accounts (Republicans no doubt) plus some people with extreme right wing views were being blocked heavily. Then the complaints started. People whose businesses survive on a huge Twitter following accused me of destroying their reputations, and generating further blocks on their account by showing the number of existing blocks.

So now two things have changed for the time being:
1. Clicks on “not spam” are deducted from blocks;
2. Blocks are diluted by the size of a user’s following. 10 points are added for every 1%. So, if you’re blocked by 40 people, but are followed by 8,000 this will only yield 5 points.

Although this has stemmed the complaints, the scanner is less aggressive and lots of real spam accounts are not showing up with high enough scores. I am struggling to find the balance in the face of all of this and may have to tweak it again.

Open letter #1

tim — Sun, 23 Aug 2009 21:58:30 +0000

I just received an email that I thought would be of interest to everyone. I have removed people’s names for reasons of privacy, but I have left the spelling mistakes in for a sense of realism. My open reply to the author follows at the bottom.

Hello Tim,

I’m glad to see you have changed the Twitblock site as it appears it may do the job that you initialy wanted it do & the bleeding seems to have stopped with me at 93 blocks. However – have you thought of ways of how you can reverse the damage your site did to other legitimate accounts like mine, @ (71 blocks) & other larger accounts who were majorly affected by your site with account blocks due to being mislabled as spammers/nuisances? All of those blocks damage reputations.

There is no question that a “lot of damage” was done. As I had said – on Friday night I did not sleep a single second as I had watched that evening my account blocks starting to increase & increase. I have no idea of exactly how many acount blocks I had before your site came into existence but I am pretty sure my numbers were similar to @ and “snowball effect” blocking due to your site rapidly increased the #s.

Personally I feel that your system should reverse all account blocks that you were responsible for and have people start over again fresh with your current site status. I also think you should apoligize to the many people that Twitblock affected negatively. (@) is one of the sweetest ladies & you saw how she was affected which is similar to my feelings – I felt awful & it got worse as I saw the #s increase. Most accounts probably have no idea how they were affected by being mislabeled.

Anyway – I ask you to find a way to correct things. I do not want those account blocks on my Twitter account which damages my reputation & potentially my account with Twitter. I look forward to your response.

My reply

The reason the blocks appeared to increase is that every time a Twitter user authenticates with TwitBlock we get access to more blocks. i.e. most of the blocks on these people’s accounts probably already existed. The incremental nature of them is largely an illusion.

It is physically impossible for me to ascertain which blocks were performed via TwitBlock as opposed to those performed on Twitter.com or another third party application.

To log into the Twitter API with one of my users’ access keys and unblock a user from their account would be an abuse of TwitBlock’s privacy policy, not to mention thoroughly immoral.

To establish which blocks on your account were performed via TwitBlock, you would have to contact Twitter. I don’t know whether they record this information or whether they would give it out – My guess would be “maybe” and “probably not”.

As to what I shall be doing to “correct things”:

I shall be doing nothing to reverse the alleged and spurious damage for the reasons stated above. I have already spent my weekend altering the application in favour of a very small contingent of people, i.e. the author of this letter plus one or two more, who incidentally were far more polite.

I have also had one aggrieved “customer” succeed in getting two of my IP addresses black listed by an SPF provider meaning I cannot send emails to some ISPs from the TwitBlock servers. This act of aggression makes me very unlikely to bow to further pressure and less inclined to apologise to anyone.

I suspect the aggressor is one of the few people who have made contact with me already, and I shall also be exercising my own right to block Twitter users who direct aggression at me, or continually make unreasonable demands.

My focus continues to be making an application that works well for as many people as possible.

Statement on the TwitBlock backlash

tim — Sat, 22 Aug 2009 11:00:14 +0000

Constructive criticism of TwitBlock seems to have quite rapidly turned into some quite aggressive complaints including several demands for immediate closure. This is not intended to be a malicious project, but with a sudden rush of large numbers, I am experiencing a minefield of issues that I did not predict. I am doing my best to fight these fires, but please bear a few things in mind a few things when feeding back to me:

First and foremost, this is alpha software.
I did not expect 7,000 visits a day after just three weeks. (I can thank Mashable for that overhead). I am constantly thinking of ways I can please everyone and still keep the application doing what it needs to do, which is help people remove illegitimate followers.

Secondly I accept that the scoring is misleading out of context.

The scanner is designed to show your most likely spam followers, which is why it lists them in order. In terms of accuracy, the real spammers do seem to top this list with huge numbers. The problem is when people analyse an individual account (often their own) – they think that any number appearing on the screen means they have been identified as spam.

The heuristics used are only relative indicators.

By adding up various indicators, most likely spam can be identified – This works well in context, but I am not saying that if you follow more than twice the number of people that follow you that you are a spammer. My task now is relay this information to avoid offending you.

It is quite possible that I will remove the single-scan feature and internalize the scoring mechanism, so that you can only see your followers in relative terms as a leaderboard of “most likely” spam.

TwitBlock does not report you if you get a score

The application does not contact Twitter or black list you if your account gets a score. A score is just a number to be put in context.
People are saying their account is in jeopardy because it will encourage people to block them, this is a fair point and I’m addressing it, but only Twitter can suspend your account and they are unlikely to do this without manual investigation. I apologise if you feel your reputation is somehow ruined, this is not what I intended for this application.

TwitBlock is not intended to replace the brain

In 30+ years of email we still haven’t really cracked automatic filtering of spam, so in 3+ weeks of TwitBlock I don’t expect to either.
Please don’t block users who come up in scans without looking a bit closer. The tool is just designed to bring them to the surface.

TwitBlock only uses the tools Twitter provides

Twitter provide a blocking feature, and the Twitter API makes this data available to applications. This could well change in future, I think a lot of things are going to change in the near future. If you think access to blocks is against Twitter’s responsibility to your privacy then take it up with them. I promise to never reveal to anyone who is blocking who.

Finally, this is not a commercial product

I developed this application in my “spare” time out side of my 40+ hour week as Technical Director of Public. I am not trying to make money, I actually hope that this application makes itself redundant. I don’t want for it to be required, because I want spam off Twitter the same as you. When feeding back, please try to be constructive and polite. This way I will be much more likely to implement features and ideas based on your comments. I am listening, even if you don’t @ me directly.

Thanks.

TwitBlock trialling whitelist feature

tim — Fri, 21 Aug 2009 23:50:27 +0000

- or – “I told you it was in Alpha”

I’ve rolled out an experimental TwitBlock feature designed to reduce “false positives” for legitimate accounts that are being blocked. Whitelist entries are now subtracted from blocks. i.e. accounts marked as “not spam” will have their blocks counteracted on a 1:1 basis. If this feature is abused, it will be removed. It survives on the premise that the spam bots are not capable of whitelisting each other.

Here’s the full story:

As well as trying to work on TwitBlock in my “spare” time, I’ve also been manning the Customer Service department (i.e. Twitter) and the Press Office (with the help of my personal press officer @adamvincenzini). Monitoring a Twitter search for TwitBlock shows that most people are pleased with the service. Amongst the tweets there is some valuable feedback and feature requests, but also quite a few vocal complaints, mostly directed at me personally.

The number one complaint is that legitimate accounts are getting spam scores due to being blocked. In relative terms an account with a lot of blocks is more likely to be spam than an account with a few or none. But in reality people get blocked for various reasons – sometimes out of animosity, whether for their political or religious views, or just because they don’t like the person. Worst of all, and somewhat ironic, is that TwitBlock encourages blocking – that’s its MO – and I have been worrying that this may aggravate the situation, especially if people are too trigger happy and accept the spam scores blindly.

One of TwitBlock’s competitors has been arguing that blocks are a poor indicator of spam, and I think they have a point. I’d supply a link to said competitor except for the fact that they are a commercial enterprise. (TwitBlock is not a business, a spam-free life should be free).

So every time you click “not spam” on an account this will be used to counter every person that clicked “block”. This is an experiment, because it could be abused. That’s just the nature of what we’re doing here. Try it out, I look forward to more quality feedback.

Top 20 Faces of Twitter Spam

tim — Tue, 18 Aug 2009 23:06:43 +0000

As we approach 3,000 TwitBlock users, we know of over 100,000 blocks and have stored 20,000 profile pic checksums. I figured it was time to start crunching some numbers.

The first of many reports shows the top 20 most duplicated avatars that we know about.

Many spam accounts use identical avatars across hundreds of accounts. TwitBlock uses this fact as an indicator of a likely spam account. This report just shows the top 20 that we’ve identified, but there are many more.

This indicator is one of the best ways Twitter could prevent spam accounts from signing up in the first place. Clearly bots have been developed that continually generate new accounts and Twitter does not seem able to prevent this despite the most prolific accounts displaying such identical properties. With a tiny 0.01% of Twitter accounts authenticated with TwitBlock one can only imagine how many of these accounts are out there.

Identical profile pics on Twitter

tim — Sun, 09 Aug 2009 23:15:45 +0000

The list of Twitter accounts below all have something in common – They all have an identical profile image, which looks like this:

At the time of writing none of these accounts have been suspended. Whether they are breaking any laws or not I don’t know, but it is clearly a syndicate whichever way you look at it. The profiles all point to a Korean-registered “Cash generator” website, which [I would hazard a guess] is a con.

TwitBlock unearthed this statistic from a list of ~~only 18,000~~ 100,000 blocked accounts provided by under ~~400~~ 3,000 TwitBlock users . When you consider the size and growth of Twitter, you can well imagine that there are far more than ~~120~~ 288 profiles in this syndicate. You also have to wonder how much of Twitter’s growth figures can be attributed to this junk.

[ UPDATE: 18 Aug ]
Many of these accounts have been suspended, but TwitBlock is discovering new ones each day – currently 248 accounts known with this image.

[ UPDATE 19 Aug ]
I’ve produced a report of the top 20 most duplicated profile pics identified by TwitBlock

Warning: Do not sign up, or give any of your details to the organizations operating these Twitter accounts. I am publishing them only to exemplify the problem of Twitter spam. I am not responsible for any interaction you have with them, which unless you are insane, should be none.

TwitBlock spam ratings explained

tim — Mon, 03 Aug 2009 22:12:13 +0000

A detailed explanation of the scoring mechanism used by TwitBlock.

Some people have complained that they get a high spam score and point out that they are not spammers. There are a number of important things to note about this.

This software is in alpha – these indicators and the scoring mechanisms attached to them will change.
As the system gathers data it will rely less on heuristics and more on cross-referencing (e.g. how many people have blocked an account)
Some of these tests are only indicators of automation, not specifically of malicious behaviour.
The spam rating has no limit – Scoring 40 may be high for a “legimate” account, but in a list with real spammers scoring 300+ you’ll be way down the bottom.
If you display characteristics of a spammer then perhaps this amounts to the same thing as being a spammer. Most normal users score zero.

Roughly in order of accuracy, here are the 8 tests currently performed in the standard TwitBlock scan.

1. Ignore factor.

This could also be called “inverse popularity”. If you follow 200 people and only 50 follow you back your ignore factor is 75%. Whether or not these 50 are the same people you follow is not analysed. The cut-off for scoring is 50%. Every 1% above 50 currently yields one point.

This simple and easily calculable factor is quite accurate because it reflects real human behaviour that can be observed. An account that is clearly spam, such as an “adult” account will have many times less followers than friends.

Naturally some spammers have found ways to beat this indicator. In some cases spam accounts follow each other to build up numbers, but a more cunning technique is the “sleeper” approach. Sleeper accounts pose as real people using stolen tweets pulled from the public timeline. TwitBlock may eventually crawl Twitter looking for these accounts, so expect more about this in future posts.

2. Follow Rate

The average number of people you follow per day forms your follow rate. This is calculated as the number of people you follow divided by the number of days you’ve been on Twitter. Although it’s a crude average, it is very telling and probably the second most reliable heuristic indicator. Even if you occasionally add a hundred people in a day it’s unlikely you can keep this up, so your average will drop. Averages are generally low even for power users, so a higher value is a strong indication of automation. The current cut-off (considered normal) is 10 per day. A point is added for every follower per day above 10.

[UPDATE - Aug 12]
Many popular accounts have high follow rates due to a “following back” policy, whether automated or not. The rate at which an account is followed is now subtracted from this value. This may result in lowering spam scores of real spammers, but it also reduces the number of false positives. So now, the rate at which an account follows without reciprocation is known as the “Stalking rate”.

3. Blocked by others

When you log into TwitBlock the system has access to your blocks and currently refreshes this list once per day until you revoke your authorization of the app. This is a key indicator that will become much more interesting as TwitBlock gathers data. Currently 10 5 points are applied for each block on an account.

[ UPDATE - Aug 22 ]
Whitelisting now used to counteract blocks

[ UPDATE - Aug 24]
Blocks are now diluted by follower count

4. Identical profile pics

Spammers commonly reuse the same image on multiple accounts. This is particularly common with the “adult” accounts. TwitBlock crawls all the blocked accounts it knows about and stores an MD5 checksum of the profile image file. This way any account’s profile image can be cross-reference with this database. 10 points are applied for each account known to use the same image.

This test could be easily foiled by spammers. Even using the same photo, it would be trivial alter the checksum. So far however, they appear not to be doing so.

5. Tweets via API

Status updates that are submitted without using a registered application (e.g. TweetDeck) will appear as having come “from API” (See Twitter FAQ). This is very useful, because spammers don’t want their activity to be tied to a registered application. If they start to do so then a list of known spammer applications will have to be compiled. 10 points are applied for API updates, although only the most recent tweet is analysed for performance reasons.

The points applied are deliberately low because people often give their password to applications that tweet on their behalf. e.g. “I just signed up to this awesome app and got 1,000 new followers”. This practice seriously needs to die out, but that’s another blog post for another day. Additionally many spam tweets appear as “from Web”, which suggest they are using the public web interface.

6. Missing profile info

This is not a very reliable indicator and may be dropped. There are 4 profile fields that can be left empty: (Bio, Location, URL and profile image). Most legitimate users fill in at least two of these. Currently 2 points are added if you leave all 4 empty. A drop in the ocean compared with other indicators. As I write this I realise this is due a review.

7. Username looks dodgy

For a human this is a strong indicator, but incredibly hard to implement programmatically. Currently this test performs some very crude tests on the username, such as being all numbers, having no vowels, and checking for a common format used by spammers where two words are followed by a number. Further research is required in this area, but it’s unlikely to form a reliable indicator going forward because it’s so easy to fool. 10 5 points are applied for a username that looks randomly generated.

8. Spammy words in bio and status

This more traditional test merely checks the bio against a list of bad words. The word list needs development and is currently not big enough to be useful. I intend to use the known blocked accounts to build a list of most common words found in spam accounts. An arbitrary score per word found is currently applied. For example “Naughty videos” yields 10 points.

Stay tuned for updates, as all these indicators are likely to change.