Look at your pull-based system for things that push
Here is a corollary on how push technology breeds spam: even if you have carefully built a pull based system that is thus insulated from spam, you need to carefully take a fresh look at it to see if you have any features that do (implicit) push actions that could be exploited by clever spammers. You'll probably have some push features (because they're useful for your users), in which case you need a plan for dealing with spam through them.
To be clear here, by 'push features' I do not mean things like 'invite your friends' email (that's a whole different issue); I mean any feature that lets user A put something in front of user B without user B explicitly asking for it. Internal private messaging is an obvious push feature but there are lots of others.
Twitter makes an interesting example for this. In theory Twitter is all about pull; you decide who to follow and who not to follow, and that's it. Except that there are at least two push features, and spammers exploit them both:
- people are notified when you start following them. So you follow
somebody and either hope that they'll reflexively follow you back
(in which case you start spamming) or look at your profile and
perhaps your website.
- people can be notified if you reply to one of their messages (or to them in general). So, well, you reply to messages with spam or (possibly vaguely relevant) marketing messages.
Both of these features are clearly useful to real users, which is presumably why they exist, but spammers have figured out how to exploit them just as we'd expect.