As I mentioned in my previous post, I'm a firm believer in using blogs and RSS for distributed conversation. So, I'd like to start a conversation about the threat that spam and spyware pose to our little syndicated world. I brought this topic up with several companies who were at the Syndicate Conference, and I was disturbed to discover how few of them are even thinking about this pending problem.
Most of them replied, "Spam problem? But there isn't one - if someone's feed contains spam, everyone will just unsubscribe!" Well, yeah - but only if we subscribe to individual feeds, which I believe will take a backseat to aggregated feeds. I'll use my own experience with the NewsGator acquisition as an example: hundreds of blogs contained news of the acquisition, but I was subscribed to very few of their feeds. Instead, I subscribed to dynamic search feeds - that is, keyword-based feeds powered by RSS search engines - which enabled me to listen in on the conversation. Very powerful indeed - but unfortunately, very spammable.
There are already fake spam blogs, many of which have RSS feeds. Most of the ones I've seen were created to influence search engine rankings, but it's only a matter of time before they use their feeds for delivering spam (I'll wager that some of them already do). These fake blogs are easy to set up, so as soon as one is taken down, it will re-appear somewhere else (much like their spyware-filled brethren, the warez sites), making it tricky to simply filter them out by their subdomain name. My guess is that the main reason we don't see more RSS spam is simply because spammers are waiting for it to be profitable. Now that conferences such as Syndicate are attended not just by geeks and developers but also by investors, they've got to be thinking that the time is almost here. Create a bunch of fake blogs littered with popular keywords, and let their feeds be picked up by the RSS search engines (to their credit, some of the RSS search engine companies I talked with are already tackling this problem).
Even if I'm way off base about how spam will come to RSS, we all know that spammers will find a way to jump on the RSS bandwagon. Given past history, every new social technology needs to think about spam right from the start, or else risk being crippled by it (side note: many implementations of tagging also strike me as being spammable).
Related to this is the fact that RSS enclosures (a.k.a. "podcasts") must look attractive to spyware creators. Before I added podcast features to FeedDemon, I took a look at how a few of the existing tools were handling them. To my surprise, security didn't seem to be a big concern - they'd even download EXE enclosures, perhaps assuming that the user's anti-virus software would stop them from being executed if they were malware. Couple automatic enclosure downloading with dynamic search feeds which contain enclosures, and you've got a great spyware delivery system. This is why I made sure that FeedDemon used a safe list for downloading enclosures.
If you make a living from RSS, I hope you'll join in this conversation - either here or in your own blog - and let everyone know whether you're thinking about this problem (or, just let me know I'm full of it if you disagree that it's a threat).