I have a vehement dislike of spam. Right there, that's something you and I have in common because I'm yet to meet a person who says "well actually, I find those Viagra emails I receive every day kinda useful". We get bombarded by spam on a daily basis and quite rightly, people get kinda cranky when they have to deal with it; it's an unwanted invasion that takes a little slice of unnecessary mental processing each time we see it. Sure, junk mail filters catch a lot of it, but even the best implementations will still let a few slip through now and then.
But for the most part, spam is indiscriminate; you're on a list so bam - you get emails about improving your bedroom life. Increasingly though, it's much more targeted than that and is invading channels beyond just email:
Hi Luke
— Nodestack (@NodestackUK) April 12, 2018
If your still looking for a new host, we would love you as a client.
We are 100% independent and have far better service than the big brands.
I can offer you a free month if you would like to compare service.https://t.co/WeXf3AcalU
Now just to avoid any shadows of doubt, yes, this meets the very definition of spam:
the use of electronic messaging systems to send an unsolicited message (spam), especially advertising, as well as sending messages repeatedly on the same site
You'll also see the Twitter example above referred to as "thread-hijacking", that is someone interjecting in a discussion in order to divert it in a different direction. In the case above, HostGator was being taken to task for storing passwords in a retrievable fashion (i.e. not as a strong cryptographic hash), and rightly so too. The hijacking then came via Nodestack who decided that this was the perfect opportunity to try and sell their services.
I'm going to talk more about Nodestack's behaviour in a moment, but let me clear about this - spam and thread-hijacking in this fashion is all too common:
Check out https://t.co/mnjmVb0IkS The secure eSign solution by Barracuda Networks.
— SignNow (@signnow) September 6, 2017
It's the same deal - targeted spam. Someone at SignNow had decided that Mister Johnson met their target demographic and thus deserved an unsolicited advertisement. Don't confuse this with a Twitter ad either; we as users of the free platform know that the trade-off is companies pay to highlight their tweets, each of which is clearly flagged as "promoted". SignNow's approach was likely highly automated based on keywords in Mister Johnson's tweet rather than them thinking he genuinely needed their services - there's very little likelihood that someone complaining about phishing emails impersonating DocuSign is going to turn around and then start using an alternative electronic signature platform. It was probably just a case of him mentioning @docusign in the same way as the Nodestack spam was likely triggered by the mention of @HostGator.
Often, you'll see this pattern play out ad nauseam as the organisation involved takes the shotgun approach of blasting their message out over and over again:
When you look for a VPN, you really want to be confident they're responsible, ethical and behave in a professional manner... pic.twitter.com/ZJSDF2VMzv
— Troy Hunt (@troyhunt) November 23, 2016
Having watched this pattern play out over the years, the offending Twitter accounts do seem to eventually realise that the strategy is either ineffective or simply pisses too many people off and cease the spam after a little while. Nodestack haven't quite evolved to that level of understanding yet and as of today, still appear to be hijacking disgruntled threads containing keywords of "HostGator", "Bluehost" or "GoDaddy", among others. (Amusingly, they also appear to be attempting to woo happy Ghost customers - or those considering Ghost - over to WordPress.)
And just the day after first seeing Nodestack's behaviour:
Prevent #phishing attacks with comprehensive, cloud-based email security that provides end-to-end control of your email! @gdlinux
— Guardian Digital (@gdlinux) April 13, 2018
The point is that Nodestack is not the sole offender here, although they are exceptionally bad in other ways. I'll come back to that.
One of the arguments I've seen bandied around in favour of this strategy is that "it's useful to people". The position here is that in a case like that last tweet by Guardian Digital, they believe that the original tweet demonstrated a need and they're simply trying to help that person out with a solution. But let's try it like this: what if every hosting company that offered a service took the same approach? I mean suspend reality for a moment and assume that AWS, Azure, Digital Ocean et al all decided this marketing strategy "enhanced consumer value" - how would that look? Well it would be unmanageable, of course, as the noise of all the spam would drown out every conversation it was interjected into. So it's one of those things where even those who promote this means of unsolicited messaging agree that it only works so long as they're the only ones doing it!
The premise of interjecting into a conversation and promoting a service to someone at a time of need goes by another name too:
Feels a bit too much like ambulance chasing to me. I get their position, but goes against good "social etiquette" in my opinion.
— Jason Snelders (@JasonSnelders) April 12, 2018
So how do organisations respond once the penny drops that this practice is usually received in a very negative way? The responsible ones acknowledge the mistake and promise to do better in future:
@troyhunt hey you guys are right, that is spammy, we’re sorry about that, thanks for pointing it out & we will tighten things up
— SignNow (@signnow) September 7, 2017
Expecting that Nodestack would follow suite, I suggested this was a strategy worth reconsidering:
You really want to do a search for “thread hijacking” before attempting this technique, it’s rather frowned upon
— Troy Hunt (@troyhunt) April 12, 2018
Surprisingly though, Nodestack decided to double-down and dig themselves in deeper:
Hi Troy
— Nodestack (@NodestackUK) April 12, 2018
Not at all, we are just trying to help good people out of bad situations.
Our marketing is more aggressive yes but it's not personal it's just business.
I won't reproduce all the to-and-for here, but you can easily recap by browsing the thread above. Long story short, they remained defiant so I put the question out to the masses:
Friends - how do you view this tactic by @NodestackUK? Subsequent to-and-fro suggests they don’t see it as a social media anti pattern, comments from the masses? https://t.co/KxeFgXBxMY
— Troy Hunt (@troyhunt) April 12, 2018
Again, I'll avoid reproducing all the responses here, but it's worth a spin through the thread to see Nodestack's reaction (get popcorn first - it gets weird). As for other respondents, without manually counting them all, I'd say it's somewhere in order of a 4:1 ratio of those who are staunchly against the practice (many people were very direct about those feelings), versus those who'd accept it, or at least put up with it. I appreciate that we all have different tolerances to criticism, but when the vast majority of people are saying "don't do this", you really want to think about not doing it!
So why take this approach? I mean why blast people with spam given how much it's disliked? Apparently it's a conscious target all the people strategy where you just bombard targets with enough adverts that if some bite, then you're all good (think along the lines of the economics of Nigerian scams). The fundamental misunderstanding at play in that tweet (and other similar ones) is that everyone is free to just ignore spam, so what's the problem? Of course, that's simply not how it works and indeed that's why we have laws protecting consumers from it.
Look, perhaps contrary to what the vocal opposition they received suggests, Nodestack really do pick up business by thread-hijacking, you'll have to make your own mind up on how trustworthy that statement is. But consider the truthfulness of that assertion in the context of all sorts of other oddities with the way they're doing business ranging from a fake Trustpilot rating to missing business registration data to cohabitation with spam sites to a poor SSL Labs rating to excessive open ports on the web site to a failing "F" grade on their security headers (that last one was in response to a claim their security is "water tight", a claim somehow made in ignorance of how a similar claim wound up for T-Mobile Austria only the week before). The Twitter account went uncharacteristically quiet in response to these issues, other than when demonstrating a lack of understanding as to why forward secrecy is important in this day and age. I tried to find some further info on who was behind the service, but a LinkedIn search only came up with a Rails developer in Portugal and a bloke in Bangladesh; it's not clear whether that "nodestack" is the same org nor whether those two guys are running a business from afar whilst implying it's based in the UK having only setup the website and Twitter account in Jan (although it may explain all the typos in their tweets). This is not intended purely to berate Nodestack (for all I know it's a guy in a shed just trying to make a good go of things), rather it's to illustrate the pattern of professionalism that thread-hijacking fits into.
When this blog post is later shared in the wake of subsequent thread-hijacking behaviour from other accounts, I want it to be clear that this is the sort of company spammers will be keeping. It may well work in the same way as other advertising many of us find sleazy works; if enough people pay for the service based on those ads then the end justifies the means, right? Regardless, it's hard to imagine anyone who actually values their reputation behaving in this way. Seeing this unfold last week, it immediately made me think back to my "Hack Your Career" talk from last year at NDC:
It's just a question of how valuable your reputation and character is to you.
By pure coincidence, only a couple of days ago I saw another case of thread-hijacking in response to the same original thread:
Come have a look at us, email from Office 365/GSuite or our own reliable email service. UK Based, Free Let's Encrypt SSL, starting at just £50 a year.
— Solid Blue Liquid Web Hosting (@solidblueliquid) April 16, 2018
I thought I'd see how my earlier approach would go with these guys - would they push back equally as hard against common sense advice? I copied and pasted exactly the same tweet I sent to Nodestack, just for scientific purposes:
Thanks @troyhunt now i know I'll be more careful in future!
— Solid Blue Liquid Web Hosting (@solidblueliquid) April 16, 2018
And true to their word, that was that - they cleaned up their act. It's nice to see common sense prevail.