A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).
Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley."
Immediately after Twitter suspended the accounts, the researchers placed 16 new orders for accounts from the 10 sellers with the largest stockpiles; of the 14,067 accounts they purchased, 90 percent were dead on arrival due to Twitter’s previous intervention.
“There was a fair amount of confusion on the [black hat hacker] forums about what Twitter was doing,” Paxson said. When the researchers requested working replacements, one of the merchants responded: “All of the stock got suspended….Not just mine…..It happened with all of the sellers….Don’t know what twitter has done….”
Within a few weeks, however, the bigger merchants were back in business, and the templates the researchers built to detect accounts registered by the various merchants began to show their age: Of the 6,879 accounts they purchased two weeks after Twitter’s intervention, only 54 percent were suspended on arrival.
Buying Battles in the War on Twitter Spam [Brian Krebs]