Worrying – spam on TheFunded

Posted on 08/18/09, in Tech, by Mike

So I was checking through the backlog of TheFunded RSS entries for interesting posts and reviews, and found – wait for it – spam! And not just one post, but six, all by different users by names like Felicia or Kassidy. Here is a screenshot of the spam posts in question (click for a full-size image) – the links to the actual posts return a 500 server error, and they have been removed from the live RSS feed – Google Reader still has them as of a few minutes ago:

TheFunded spam

This in itself wouldn’t be out of the ordinary, if TheFunded was your average vBulletin or phpBB-based forum, which are frequently infiltrated by spammers unless very draconian rules are applied.

And what are these rules? Most usually, things like posting restrictions for so many days, and in some cases, per-user vetting of new registrations – in essence, what TheFunded claims to be doing with its new members. Money quote from TheFunded membership application form:

Please fill out the form fields correctly. The application will be manually processed to ensure that you do not work in venture capital. Processing may take up to five days, though you will normally be approved in less than 48 hours.

and

Applications without a valid biography available online will be rejected. At a minimum, you must have a LinkedIn profile with reasonable number of connections in place or a bio on your corporate site.

To me, this can have only two explanations: TheFunded doesn’t really do proper checks of membership applications, or their server was attacked and posts inserted into their database.

We are on autopilot

In the first case, the problem would be shoddy management of applicants, which is worrying to those who contribute based on the premise of complete anonymity – if you write bad things about your investors, they are not going to be happy about it. TheFunded shields executives and founders’ comments about VCs and their funds. If random people can get into TheFunded, then VCs also can, violating the main premise on which TheFunded was built.

We got pwned

Equally as worrying, since a security issue that allows spam to be posted could also be exploited to access the database of members, and data that could link them to their real identity. In TheFunded’s favor, their FAQ explains how anonymity works, and it is actually very good as described, thus, no hack on the content server could reveal a true user’s identity, but still, a hack reveals weak points – we all know how Twitter had some of its confidential memos leaked a short while ago.

In either case, it would be good if TheFunded could explain what happened, and what have they done to fix the issue, other than delete the posts (and presumably also Felicia & Co.’s accounts!).

No TweetBacks yet. (Be the first to Tweet this post)