Recipe for Disaster – The Spammer’s Guide to DSA and DMA

I write this as a professional spammer. That’s right, I have been making a living for over two decades by gaming, tweaking, by-passing, using, abusing and cheating the systems. The systems that protect your personal data, the advertising auctions, the search algorithms. I offer my skills to the highest bidder and can bring more visits to your websites, make your product sell more or get more attention to your social media. I work in the gray zone between legal and illegal in the online underworld. Big Tech wants to ban me. Policy-makers want to catch me. Businesses want to hire me. I always find a way. And I’m here to tell you that the new EU policies will do nothing to limit me.

The double whammy of Digital Markets Act and Digital Services Act won’t touch the sides for spamming, and this is not a glass half-empty view, this is a reality that the bucket of proposals is fantastically leaky.

When the new rules are legal, it’ll be no different to when the EU Cookie Directive, or General Data Protection or other online rules came into force. The rules are always weak, and rarely enforced, and I’ve been spamming since 1999 (around the time when CAN-SPAM Act was all the rage and ROKSO launched, The Register of Known Spam Operations).

I’ll stop selling physical products on platforms or doing anything which needs proper verification, and change the business model to supplying traffic and monetise that. Someone else can register on the platform or marketplace as my proxy. Affiliate marketing won’t be covered, so there’s still an opportunity there. There’s nothing to stop me opening up a “shop” which is scraped products from other shops and marketplaces which links through to the official outlets and yields a kick back when someone purchases from the actual supplier. I’ll diversify into promoting illegal streaming too – those guys can avoid detection in areas of the world where domains are harder to reach. An iframe, inside an iframe with the relay of a soccer game held on a server that’s out of reach of the infringing “website” won’t be covered by either of the DMA/DSA proposals. Or if someone is going to continue selling counterfeit clothing, soccer shirts, NFL shirts, designer bags and alike. They are so easy to source and can also be dropshipped via marketplaces in South-east Asia. The trick here is to never advertise the counterfeit item. Sure, a shop selling items that look like the official item, no logos and vastly cheaper. Punters know they will receive a bag with a Gucci logo, even though the photo had the logo blurred out. There are literally hundreds of sites to use for this including Wish, DhGate, AliExpress, 1688.com, Gearbest.com

The proposals are meek from a spammer point of view because they only cover the message, never the messenger. It’s like going to a bar, if they want ID, then go to the bar that lets underage drinkers in. Every town has one. The internet is no different. No one knows who you are, unless you tell them.

A URL IS JUST .JSON

All forms of spamming, (email, SMS, web marketing, affiliate marketing or cookie stuffing and so on) rely on domain names. A domain name and URL is nothing more than a bit of code, .JSON code to be precise. They are not like a physical address. No one is enforcing. ICANN sends an email once a year asking that you update your contact details. If you don’t want to do that, simply buy another €0.99c domain on month eleven. Sure, for more elaborate operations changing a domain name is more involved and will cost me a loss of traffic, but say the scheme is SMS phishing, like “Your package is ready for collection, please pay the outstanding sum” type scams that link to a website. The value is not in the domain, the value is in anonymity and traceability and the payment account. If domains can’t verify you and payment processers don’t check the business behind the deposits, which is going to stop me? A telecoms company? eBay? Amazon? Twitter say they verify accounts (which is nonsense), so there’s free traffic and clicks to be had!

HOSTING

Five dollars and that’s all it takes to get fully guaranteed anonymous hosting. If you want to be more complex signs up for a reverse host, or caching server. To break-even on a $5.00 investment is hardly a challenge. Lots of hosts now accept Bitcoin, and many promote anonymous browsing, anonymous VPS, anonymous server and anonymous domains, offshore private servers and promise not to hand out any information about our activities to any third-party entity, keeping everything private.

CONTENT SYSTEM

I need a URL, server space, a few automated tools. I’ll scrape content, and replace synonyms to create unique content to that will rank in Google as fresh news content. That same news content can be submitted back to Google News (with some luck they’ll accept it) and places like NewsNow. I can become an authority using other writers’ content, with slight tweaks. Or I’ll subscribe to a paywall website, or newsletter, scrape and report it on the open web to get the traffic. From there I can monetise the traffic.

My options are few. For sports betting combine ripped news content with data that can be scraped from multiple places.

For football streams scrape the upcoming fixtures, and add streaming, live feed or watch live to the titles, and throughout the content. Then link to streaming sites that offer a cut of the advertising revenue. No need to stream content, or take risks with websites that are directly against the law. I can use Twitch, YouTube, TikTok and other video sites to bait the user with a video telling them where to go for the streaming link. If Google allows websites that instruct people how to commit suicide, are they really going to act against spammers?

The best tools can scrape, post, react and work across multiple sites. One tool I use can spam and generate traffic 24/7, fully automated. It works on YouTube, Facebook, Twitter and every site in between. If I’ve posted ripped music concerts or film scores to Spotify, there are plenty of tools like Stormlikes, Social Viral, UseViral, SidesMedia, FollowersUp, or StreamKO. And no one will check who I am, or where I am. I’ll rinse and repeat and take the cash.

DATA SYSTEM

Scrape data, repurpose it as original and promote it where the licenced gambling firms don’t dare market it. With that data I can target punters in USA. Ripping and scraping odds from one market and presenting it in another market is easily done with headless bots, a database and content generation on the fly, so in fact you are not liable for anything because the data presented is asynchronous. And if it’s illegal to take wagers from US punters, we will use a Bitcoin exchange in a third country, perhaps in the Caribbean, so I can make on the bet and the transaction.

The bait is a promise of streaming, gambling, films, torrents, TV, games. And with a good site there are plenty of places to drop the link. Twitch, YouTube, Reddit, Socials and even paying webmasters at newspapers to drop links in old articles on trusted site are fair game for getting traffic.

HACKING THE SYSTEM

I’m not alone in skirting the rules. Chinese sellers will continue to send a container of goods to Europe, then pay import duty, but register as someone in Hong Kong. With the goods in the EU they can ship inside EU, pay no sales tax, just pay small amount of import duty and get a friend to do the shipping. Countries lose VAT etc. If there’s a requirement to have a legally responsible person, then for Chinese sellers, a student or fake profile will be used. It’s not difficult to buy passports, electricity bills, fake bank statements online. And if a platform starts checking ID, they’ll buy hacked accounts or rent accounts.

It’s the same thing that’s going on with PayPal, eBay, UberEats for workers, Uber driver accounts and many more. Next time you order a food delivery, check the photo of the driver; does it match the person who actually showed up with the food? In many instances no, because the market for account rentals is huge.

No marketplace or platform has ever taken this seriously, and they don’t make proper checks.

CHOOSE “no log” VPN provider

The policy acts assume there are digital transactions? What if the transaction is a deposit or referral or scam? Selling hooky software doesn’t happen on mainstream platforms. Forums and bulletin boards won’t be as policed and might not even be covered by the acts.

Reverse proxies to market gambling to US residents, potentially illegal and risky for wire fraud but many do it.

So in the EU, am I going to give up my livelihood because of some regulation aimed at platforms? No chance. Do your worst, eurocrats – I won’t be losing any sleep before the platforms themselves step in.