Résumé
Twitter
Work Blog
Guestbook
Login

Understanding MySpace Bulletin SPAM!

Share |
<= Previous Post | Next Post =>

Update Wednesday, August 08, 2006: Great news — MySpace is using temporary "hashes" (random tokens or "keys") within urls to help eliminate automated control of their system. This includes SPAM, hackers, etc. Although this is unfortunate for valid, 3rd-party automation of MySpace features, the result is a much more secure environment. There are still many changes that MySpace needs to make before eliminating the majority of security problems, but this was a step in the right direction!

Update Tuesday, May 30, 2006: Just got 2 more, but unrelated bulletin SPAM posts, one enticing you to view a video you never get to see and a 2nd that actually works, but is posted just to get you to view and hopefully click on advertising.

Join the fight against MySpace.com SPAM! I am going to attempt to explain MySpace.com SPAM to you regardless of your technical expertise, so here we go...

*If you just want to help, you can spread the word.

Yes, there are people who want nothing more than for you to visit their website and to click an ad and generate some revenue or download some software so that they can do whatever they want (more ads, trace your website visits, blah, blah...) Today I received 2 bulletin messages from a friend. The 1st was automatically generated SPAM and the 2nd was his apology. When you read the first message, it contains content enticing you to click on an external link (SPAM WEBSITES: thug444.com, but also includes: http://www.prevalentmedia.com/incredible, http://www.ps3era.com/incredible, and http://www.fhuta.com/incredible). This website appears to be completely dedicated to one thing: Get MySpace.com people to visit the website and either 1) Click on an advertisement and generate revenue or 2) Click the button to generate another bulletin SPAM message to all of your friends. *Note: visiting the site may or may not work, the content and implementation may change, and even if it is all the same it may not even work for you. They are relying on sheer numbers to get visitors to the website...

How does it work?

Well, the genious of some dark programmer found out that the form to post bulletin messages in MySpace doesn't do any checks to see that you are posting information from within MySpace and not posting information from another website to MySpace.com. Now, before you write nasty grams to Tom, this "problem" may actually be a "feature", allowing other websites to setup automatic messages to communicate to your friends. Ever seen a link to "Send this link to a friend?" or something like that?

Let me give you a good example where automated bulletin messages is a good thing: "Tell your friends how to help stop MySpace.com SPAM by educating them! Click here to send them the message!

Basically, there is a "form" on the webpage you are viewing. This form has some hidden form fields; namely "groupID", "subject", and "body". These are the same fields that visibly appear when you create a new bulletin message within MySpace. The hidden fields in this form are automatically populated with values. Did I lose you yet? If you are currently logged into MySpace, Click here and then copy and paste the following code into your browser's URL address bar and click "Enter" or "Return": javascript:void(document.forms[0].elements['subject'].value='Here is an automatically populated subject!');

So, these hidden fields on the form get posted to MySpace; more specifically they get posted to "http://bulletin.MySpace.com/index.cfm?fuseaction=bulletin.confirm". This URL recognizes the form fields (hidden or visible) and uses them to confirm the new bulletin post.

Now, thug444.com (and likely other deviants) went a step further... They not only made the form fields hidden (which we've proved is useful), but they also hid the results page that requests your confirmation! This means that when you click the button, the hidden values are posted to the MySpace confirmation page, but then you are only presented with part of the confirmation page that asks you to press the "Post Bulletin" button. At this point, I realize that I'll leave a lot of the technically adept readers hanging. But, if you want the details of how they hid the results form, etc. then I'll leave it to you to figure it out. Especially since I don't want to promote MySpace SPAM, I want to stop it!

How <strong>YOU</strong> Can Help!

The concept is simple, educate others how it works. Remember, you are clicking a button and then the fact that you need to click again and confirm the automatically generated bulletin post is being hidden from you. But, there are certainly indications. If you have questions, post a comment here for me to read.

Spread the Word!

Share |
<= Previous Post | Next Post =>

Comments

Submit New Comment

*Your e-mail is not shared with others. If provided, I simply use it as a method of contacting you about your comment(s) on this website. If you have a direct question, simply contact me.

*Cannot contain HTML and NO SPAM!

hey. i really need your help. i know you talk about how to get rid of the messages that are being sent to you. but what if your myspace is the one that is sending out the messages. my myspace has sent out countless messages to random people with advertisements. how do i stop this from happening? is there any way that you can help?

major props to Eric. you are the man dude! that guy talking trash below, well, somebody was right, that guy should pull his head out of his large asshole.

Read Eric Swanson's comment below. Amazing, Genious, the best advice on here. Eric's the man!

i dont know what to do..my myspace posts bullitans randomly and when any of my frinds try to click on my profile to see pics or blogs its wont let them and signs out of myspace... how do i change this.. can you please email me or something thanks :)

I just checked my myspace and those bulletins are gone, so you can regard the comment I made before. thanks again!

there are 2 bulletins that I have supposedly posted about size really matters for girls, and friends of mine know that I would never post things like that. when I go to delete these bulletins, they won't go away. please help me out. thanks!

Hmmm, my myspace just posted 2 spam bulletins while I was at work. Not only was I not on the computer, I was certainly not logged into myspace, and I did not click on any free money advertisement-- or whatever the thing was. I deleted it, but a friend told me about it. My husband uses the same computer, neither of us leave our myspace accounts open- but his account has not posted spam bulletins... Plus, it was only 2 early this afternoon, not 6 or 8 or whatever. I don't get it at all.

I heard that something may come up that tricks people into giving away their password, and that can cause the bulletin problem. I don't know too much about it, but I've heard changing your password might work.

I need help!! How do i get rid of myspace spam.. it keeps posting bulletins automatically to all my friends and i didnt even write them. please email me back @ metalhead__xxx@hotmail.com

I just got back from homecoming game, and I've never clicked on those stupid advertisements in my life! I didn't even check my myspace all night, so when I woke up, I decided to. I posted a whole bunch of ringtone bulletins, and I hadn't even clicked on anything and logged in. I'm running Ad-aware right now, to see if it can help.

One of my friends' myspace keeps sending out spyware or advertising at least bulletins... to get an ipod etc... can someone please email me back on how to fix that? guidoricci@hotmail.com

Eric Swanson wrote:
&gt; MySpace has effectively disabled the method of
&gt; automating bulletin posts...

I'm still getting them

MySpace has effectively disabled the method of automating bulletin posts, which renders the examples on this page ineffective (including the "tell your friends"). I will update the page tonight with a list of appropriate counter-measures and you can simply send your friends a link to the page. Thanks!

Thanks for the suggestions, I will give that a try. In the meantime, I will like to warn my friends, because I keep seeing more of these bulletins coming from more and more of my friends! None of your links on this page are working though!

Heather

Heather - Check your profile (go to "Edit Profile" and other settings and look at the text) for any content and code you didn't write. There are several issues being exposed on MySpace that enable individuals ("hackers") to do things they shouldn't be able to do. Unfortunately, most of these risks have existed since the website's inception, but nothing was done (the need to support substantial growth can encourage you to turn your back on things you know are wrong in the programming world). If you do not see any offending code, you'll want to look at your computer. You'd better have a virus scanner (&lt;a href="http://www.f-secure.com/" target="_blank"&gt;F-Secure&lt;/a&gt;, McAfee, do a &lt;a href="http://www.google.com/search?q=virus+scan" target="_blank"&gt;Google search&lt;/a&gt;) and a Spyware scanner (try &lt;a href="http://www.safer-networking.org/" target="_blank"&gt;SpyBot&lt;/a&gt;). *Also, make certain that the MySpace staff is aware of your problem. They may be able to help

I was wondering if my situation is the same thing you are referring to....
I'm usually very careful not to "click" on anything I shouldn't, but recently I have started to notice spam bulletins, advertisements and such on my bulletins that are saying they are from ME!They are coming more frequent each day, today there were 6 of them, supposedly from me, but I haven't even been logged in in 2 days! They are not from me, and now all my friends are posting these bulletins, but they say they never posted them either!
What can I do???

Heather

Some people dont even seem to be reading this article before posting a comment :s. It is not about people posting on there own accounts, It is about Spammers using methods to post bulletins (advertising) from other users accounts.

My bulletin spam is out of control. Every day I get 3-7 Lindsey Lohans boobs spam bulletins! I posted an apology bulletin...which also happens to be the only bulletin I have ever written & since then...they seem to be coming more often. I'm not entirely sure what to do about it? The moment I delete them...they just come back later. Please help!
aw

If u dont like how myspace is getting really popular and everybody is on it then keep that in u but the other people may liek being on that site. If u dont like it then dont visit the site!

I'm sorry to be so rude, but this is very ignorant. Your trying to stop something that you have absolutely no control over. I can understand how you feel about spam, as it is a big annoyance to a lot of people. But, like a few people have already said, this is not a case of random people being bombarded with tricky "click here" links. If you have enough intelligence to create a myspace page and build a network, then you have sense enough to not click on everything you see. Besides, some people may appreciate certain offers that are sent through bulletins. On the ignorant note, besides the fact that it is the users choice to click on and view any bulletin, myspace bulletins are only sent to/from friends that you have approved to be included in your network. If your having such a big problem with "networked advertising" then I would suggest for you to choose your friends more carefully. Or here is a better solution, if you don't like it... don't use myspace!!!!! I can't believ

jim smith -- take your tiny little head out of your simian ass and maybe next time you decide to open your pathetically uneducated mouth, you'll READ first, and realize that eric's on YOUR side. Jackass.

So lemme get this straight. Youve appointed yourself the supreme ruler over what is considered bulletin spam or not? YOu have no right to interfere with anyones posting of bullitns. Got it? If you dont like it, remove me from your friends list.

Daniel - "The people were ignorant, I was simply taking the opportunity of cheating these victims of the hidden use of their personal MySpace accounts to promote my website for revenue generation. That's all!" You may never end up behind bars for these cheap online marketing tactics that amount to SPAMming people's personal accounts and purposely disguising your methods and you certainly may end up walking away with $100 or more dollars in your pocket, but at least I'll sit peacefully at my computer knowing I robbed these sites of some of their money by educating people to not fall prey. I suppose "Well, they did the clicking!" comes next... I suppose, at age 35, you told mom that it was the cat that pissed on your bed last night too.

Personally, I hate the chain letters people use on Myspace.

Bulletin Spam is pretty annoying. Thats why when I post a bulliten, they're short and sweet and cool. :)