We’ve seen Usenet spam, email spam, search engine spam, IM spam, and Weblog comment spam — how long will it take before we see RSS spam?
My RSS aggregator looks for new items and lets me know when a new item appears on a feed I read. It’s easy to imagine a very malicious feed that would just always make its entries appear “new” — change them subtly, report that they were just written, or whatever — so that its items would always show up in my aggregator — but I’d just unsubscribe. This “Fake New Item” approach could be used more subtly, though, such that I’d be less likely to unsubscribe. Let’s say a news site wants to include an advertising entry amongst its news entries — they could set it up, say, so that the ad shows up as new four times a day.
The Fake New Item approach could be used more easily with superaggregators, sites that bring together many RSS feeds and republish them as an aggregate. Centralized distribution means centralized response, but if a simple feeder wants to show its articles as new (slightly changed) twice a day, that might be hard to detect.
My aggregator currently displays HTML and follows redirects. An RSS Web Bug is already completely feasible — want to know how many people are really reading your feed? I haven’t seen a pop-up ad out of a feed, yet, but that doesn’t seem far off — if the pop-up goes to the background, which feed produced it? (There are other types of attacks possible, too, if RSS readers become more like full browsers.)
Those are a few I thought of. Anyone have other ideas? More importantly, since this is still a young format, is there anything that should change now to stem whatever ideas we think will occur to the spammers a month or a year from now?