Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

He says there is no interest to post to his moms posterous, but is that really true?

I can imagine quite a lot of spammers who would love to have a blog-post on an otherwise reputable blog. If spammers manage to abuse this system they could get their blogposts, filled with links and instructions to buy medication, all over all posterous blogs.



Ah yes, the sole exception to this security sacrifice is spammers. You have to keep them out, no matter the cost.

Posterous does a good job of keeping them out, I think, because I've never seen a spam post.


This seems mostly security by obscurity.

If spammers already have a list of "valid" email addresses, how long before they start randomly hitting post@postereous.com with spoofed headers on a regular basis?


That's a war we will fight when we have to. And we will fight it with relish and aplomb.


I remember reading somewhere about the abysmal conversion rates that spammers get (it was something like 1 in 12 million or something like that).

So, you'd need some 12 million blog posts that look real enough to fool a user's reader to get one conversion.

And it's not like Posterous isn't aware of the insecure nature of email. As some have suggested, they can just turn on pre-approval of submissions and this whole thing would be moot.

Put it another way: if you were to compete against them, would you create a blog-by-email service that focuses on being secure? Or ease of use? I imagine the latter has a lot more value to users. As Schneier always says, security is all about trade-offs and choosing to handle "what-if" scenarios tend to be less nice than handling "this-is-what-is-going-on-for-real" scenarios


Regarding conversion rates, people have been trained to distrust email, but the same isn't necessarily true for blogs. If a spammer put together a well-worded "spam" message — especially if it's something people write about all of the time, like electronics, music or book reviews, etc. — it's not unreasonable to expect conversion rates would be much higher.


FWIW, anyone who hangs around blogs knows a spam comment when they see one. I'd imagine that it's even harder to make a fake blog post believable, since it's easier to wing something like: "yeah I agree [link to fishy site]" than it is to make a well-written post (especially if it needs to be generic enough to pass as legitimate in 12 million different blogs...)


NB, scam != spam.

E-mail spammers might need to send out millions of messages to get a conversion, but a more carefully crafted scam on a popular blog might be profitable with significantly less views.


How's it easier to make 12 million carefully crafted scams without raising anyone's suspicion that the posts aren't legitimate? I could see the scam working on a Viagra blog, but how is it useful to anyone to have copies of what clearly look like a fishy post all over the place, possibly followed up by the real authors calling you out and telling people NOT to buy from you?

Besides, if you're scamming, why not just create a free blog? There are tons of get-rich-quick schemes out there doing just that...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: