Detecting Spammers on Social Networks
Gianluca Stringhini
University of California, Santa
Barbara
gianluca@cs.ucsb.edu
Christopher Kruegel
University of California, Santa
Barbara
chris@cs.ucsb.edu
Giovanni Vigna
University of California, Santa
Barbara
vigna@cs.ucsb.edu
ABSTRACT
Social networking has become a popular way for users to
meet and interact online. Users spend a significant amount
of time on popular social network platforms (such as Face-
book, MySpace, or Twitter), storing and sharing a wealth of
personal information. This information, as well as the pos-
sibility of contacting thousands of users, also attracts the in-
terest of cybercriminals. For example, cybercriminals might
exploit the implicit trust relationships between users in order
to lure victims to malicious websites. As another example,
cybercriminals might find personal information valuable for
identity theft or to drive targeted spam campaigns.
In this paper, we analyze to which extent spam has en-
tered social networks. More precisely, we analyze how spam-
mers who target social networking sites operate. To collect
the data about spamming activity, we created a large and
diverse set of “honey-profiles” on three large social network-
ing sites, and logged the kind of contacts and messages that
they received. We then analyzed the collected data and
identified anomalous behavior of users who contacted our
profiles. Based on the analysis of this behavior, we devel-
oped techniques to detect spammers in social networks, and
we aggregated their messages in large spam campaigns. Our
results show that it is possible to automatically identify the
accounts used by spammers, and our analysis was used for
take-down efforts in a real-world social network. More pre-
cisely, during this study, we collaborated with Twitter and
correctly detected and deleted 15,857 spam profiles.
1. INTRODUCTION
Over the last few years, social networking sites have be-
come one of the main ways for users to keep track and com-
municate with their friends online. Sites such as Facebook,
MySpace, and Twitter are consistently among the top 20
most-viewed web sites of the Internet. Moreover, statistics
show that, on average, users spend more time on popular
social networking sites than on any other site [1]. Most so-
cial networks provide mobile platforms that allow users to
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
ACSAC ’10 Dec. 6-10, 2010, Austin, Texas USA
Copyright 2010 ACM 978-1-4503-0133-6/10/12 ...$10.00.
access their services from mobile phones, making the access
to these sites ubiquitous.
The tremendous increase in popularity of social network-
ing sites allows them to collect a huge amount of personal
information about the users, their friends, and their habits.
Unfortunately, this wealth of information, as well as the ease
with which one can reach many users, also attracted the in-
terest of malicious parties. In particular, spammers are al-
ways looking for ways to reach new victims with their unso-
licited messages. This is shown by a market survey about the
user perception of spam over social networks, which shows
that, in 2008, 83% of the users of social networks have re-
ceived at least one unwanted friend request or message [16].
From a security point of view, social networks have unique
characteristics. First, information access and interaction is
based on trust. Users typically share a substantial amount
of personal information with their friends. This information
may be public or not. If it is not public, access to it is
regulated by a network of trust. In this case, a user allows
only her friends to view the information regarding herself.
Unfortunately, social networking sites do not provide strong
authentication mechanisms, and it is easy to impersonate a
user and sneak into a person’s network of trust [15]. More-
over, it often happens that users, to gain popularity, ac-
cept any friendship request they receive, exposing their per-
sonal information to unknown people. In other cases, such
as MySpace, the information displayed on a user’s page is
public by design. Therefore, anyone can access it, friend or
not. Networks of trust are important from a security point
of view, because they are often the only mechanism that
protects users from being contacted by unwanted entities.
Another important characteristic of social networks is the
different levels of user awareness with respect to threats.
While most users have become aware of the common threats
that affect the Internet, such as e-mail spam and phishing,
they usually do not show an adequate understanding of the
threats hidden in social networks. For example, a previous
study showed that 45% of users on a social networking site
readily click on links posted by their “friend” accounts, even
if they do not know that person in real life [10]. This be-
havior might be abused by spammers who want to advertise
web sites, and might be particularly harmful to users if spam
messages contain links to malicious pages.
Even though social networks have raised the attention of
researchers, the problem of spam is still not well understood.
This paper presents the results of a year-long study of spam
activity in social networks. The main contributions of this
paper are the following:
1

• We created a set of honeynet accounts (honey-profiles)
on three major social networks, and we logged all the
activity (malicious or not) these accounts were able to
observe over a one-year period for Facebook and an
eleven-month period for Twitter and MySpace.
• We investigate how spammers are using social net-
works, and we examine the effectiveness of the counter-
measures that are taken by the major social network
portals to prevent spamming on their platforms.
• We identify characteristics that allow us to detect spam-
mers in a social network.
• We built a tool to detect spammers, and used it on
a Twitter and Facebook dataset. We obtained some
promising results. In particular, we correctly detected
15,857 on Twitter, and after our submission to the
Twitter spam team, these accounts were suspended.
2. BACKGROUND AND RELATED WORK
Social networks offer a way for users to keep track of their
friends and communicate with them. This network of trust
typically regulates which personal information is visible to
whom. In our work, we looked at the different ways in which
social networks manage the network of trust and the visibil-
ity of information between users. This is important because
the nature of the network of trust provides spammers with
different options for sending spam messages, learning infor-
mation about their victims, or befriending someone (to ap-
pear trustworthy and make it more difficult to be detected
as a spammer).
2.1 The Facebook Social Network
Facebook is currently the largest social network on the In-
ternet. On their website, the Facebook administrators claim
to have more than 400 million active users all over the world,
with over 2 billion media items (videos and pictures) shared
every week [3].
Usually, user profiles are not public, and the right to view
a user’s page is granted only after having established a re-
lationship of trust (paraphrasing the Facebook terminology,
becoming friends) with the user. When a user A wants to
become friend with another user B, the platform first sends
a request to B, who has to acknowledge that she knows A.
When B confirms the request, a friendship connection with A
is established. However, the users’ perception of Facebook
friendship is different from their perception of a relation-
ship in real life. Most of the time, Facebook users accept
friendship requests from persons they barely know, while in
real life, the person asking to be friend would undergo more
scrutiny.
In the past, most Facebook users were grouped in net-
works, where people coming from a certain country, town,
or school could find their neighbors or peers. The default
privacy setting for Facebook was to allow all people in the
same network to view each other’s profiles. Thus, a mali-
cious user could join a large network to crawl data from the
users on that network. This data allows an adversary to
carry out targeted attacks. For example, a spammer could
run a campaign that targets only those users whose profiles
have certain characteristics (e.g., gender, age, interests) and
who, therefore, might be more responsive to that campaign.
For this reason, Facebook deprecated geographic networks
in October 2009. School and company networks are still
available, but their security is better, since to join one of
these networks, a user has to provide a valid e-mail address
from that institution (e.g., a university e-mail address).
2.2 The MySpace Social Network
MySpace was the first social network to gain significant
popularity among Internet users. The basic idea of this net-
work is to provide each user with a web page, which the user
can then personalize with information about herself and her
interests. Even though MySpace has also the concept of
“friendship,” like Facebook, MySpace pages are public by
default. Therefore, it is easier for a malicious user to ob-
tain sensitive information about a user on MySpace than on
Facebook. Users might be profiled by gender, age, or nation-
ality, and an aimed spam campaign could target a specific
group of users to enhance its effectiveness.
MySpace used to be the largest social network on the In-
ternet. Although it is steadily losing users, who are mainly
moving to Facebook [2], it remains the third most visited
site of its kind on the Internet.
2.3 The Twitter Social Network
Twitter is a much simpler social network than Facebook
and MySpace. It is designed as a microblogging platform,
where users send short text messages (i.e., tweets) that ap-
pear on their friends’ pages. Unlike Facebook and MyS-
pace, no personal information is shown on Twitter pages by
default. Users are identified only by a username and, op-
tionally, by a real name. To profile a user, it is possible to
analyze the tweets she sends, and the feeds to which she is
subscribed. However, this is significantly more difficult than
on the other social networks.
A Twitter user can start “following” another user. As a
consequence, she receives the user’s tweets on her own page.
The user who is “followed” can, if she wants, follow the other
one back. Tweets can be grouped by hashtags, which are
popular words, beginning with a “#” character. This allows
users to efficiently search who is posting topics of interest at
a certain time. When a user likes someone’s tweet, he can
decide to retweet it. As a result, that message is shown to
all her followers. By default, profiles on Twitter are public,
but a user can decide to protect her profile. By doing that,
anyone wanting to follow the user needs her permission. Ac-
cording to the same statistics, Twitter is the social network
that has the fastest growing rate on the Internet. During
the last year, it reported a 660% increase in visits [2].
2.4 Related Work
The success of social networks has attracted the attention
of security researchers. Since social networks are strongly
based on the notion of a network of trust, the exploitation of
this trust might lead to significant consequences. In 2008, a
Sophos experiment showed that 41% of the Facebook users
who were contacted acknowledged a friend request from a
random person [8]. Bilge et al. [10] show that after an at-
tacker has entered the network of trust of a victim, the vic-
tim will likely click on any link contained in the messages
posted, irrespective of whether she knows the attacker in
real life or not. Another interesting finding was reported
by Jagatic et al. [13]. The authors found that phishing at-
tempts are more likely to succeed if the attacker uses stolen
information from victims’ friends in social networks to craft
2