Author: Eric Swanson Category: MySpace.com Views: 35621 Posted: 5/18/2006 12:21:51 PM Modified: 8/9/2006 8:51:53 AM [Make a Comment]

Posts in "MySpace.com" Posts by "Eric Swanson" All Posts

Update Wednesday, August 08, 2006: Great news — MySpace is using temporary "hashes" (random tokens or "keys") within urls to help eliminate automated control of their system. This includes SPAM, hackers, etc. Although this is unfortunate for valid, 3rd-party automation of MySpace features, the result is a much more secure environment. There are still many changes that MySpace needs to make before eliminating the majority of security problems, but this was a step in the right direction!

Update Tuesday, May 30, 2006: Just got 2 more, but unrelated bulletin SPAM posts, one enticing you to view a video you never get to see and a 2nd that actually works, but is posted just to get you to view and hopefully click on advertising.

Join the fight against MySpace.com SPAM! I am going to attempt to explain MySpace.com SPAM to you regardless of your technical expertise, so here we go...

*If you just want to help, you can spread the word.

Yes, there are people who want nothing more than for you to visit their website and to click an ad and generate some revenue or download some software so that they can do whatever they want (more ads, trace your website visits, blah, blah...) Today I received 2 bulletin messages from a friend. The 1st was automatically generated SPAM and the 2nd was his apology. When you read the first message, it contains content enticing you to click on an external link (SPAM WEBSITES: thug444.com, but also includes: http://www.prevalentmedia.com/incredible, http://www.ps3era.com/incredible, and http://www.fhuta.com/incredible). This website appears to be completely dedicated to one thing: Get MySpace.com people to visit the website and either 1) Click on an advertisement and generate revenue or 2) Click the button to generate another bulletin SPAM message to all of your friends. *Note: visiting the site may or may not work, the content and implementation may change, and even if it is all the same it may not even work for you. They are relying on sheer numbers to get visitors to the website...

Well, the genious of some dark programmer found out that the form to post bulletin messages in MySpace doesn't do any checks to see that you are posting information from within MySpace and not posting information from another website to MySpace.com. Now, before you write nasty grams to Tom, this "problem" may actually be a "feature", allowing other websites to setup automatic messages to communicate to your friends. Ever seen a link to "Send this link to a friend?" or something like that?

Let me give you a good example where automated bulletin messages is a good thing: "Tell your friends how to help stop MySpace.com SPAM by educating them! Click here to send them the message!

Basically, there is a "form" on the webpage you are viewing. This form has some hidden form fields; namely "groupID", "subject", and "body". These are the same fields that visibly appear when you create a new bulletin message within MySpace. The hidden fields in this form are automatically populated with values. Did I lose you yet? If you are currently logged into MySpace, Click here and then copy and paste the following code into your browser's URL address bar and click "Enter" or "Return": javascript:void(document.forms[0].elements['subject'].value='Here is an automatically populated subject!');

So, these hidden fields on the form get posted to MySpace; more specifically they get posted to "http://bulletin.MySpace.com/index.cfm?fuseaction=bulletin.confirm". This URL recognizes the form fields (hidden or visible) and uses them to confirm the new bulletin post.

Now, thug444.com (and likely other deviants) went a step further... They not only made the form fields hidden (which we've proved is useful), but they also hid the results page that requests your confirmation! This means that when you click the button, the hidden values are posted to the MySpace confirmation page, but then you are only presented with part of the confirmation page that asks you to press the "Post Bulletin" button. At this point, I realize that I'll leave a lot of the technically adept readers hanging. But, if you want the details of how they hid the results form, etc. then I'll leave it to you to figure it out. Especially since I don't want to promote MySpace SPAM, I want to stop it!

The concept is simple, educate others how it works. Remember, you are clicking a button and then the fact that you need to click again and confirm the automatically generated bulletin post is being hidden from you. But, there are certainly indications. If you have questions, post a comment here for me to read.

Spread the Word!