Gaming MP3.com

Maybe i'm just paranoid, but i'm wondering what's to stop some big record company, or even a small-time computer programmer/musician, from writing a program that downloads the same mp3s over and over again, several times an hour, all day, driving one group up the charts?

It's not in my nature to claim to be an expert, but I reckon I can at least answer on behalf of "experts" anyway :-)

It *COULD* be done, for awhile, but they'd probably get caught, eventually.

Depends on how sneaky they are.

MP3.com has several filters in place to detect these things, or so they claim, and they accept complaints from other "members" (or whatever they call us).

And if they catch you, or they *THINK* they catch you, BAM!, you're off until you convince them that you weren't scamming them.

That said, MP3.com won't say what their detection filters are, because if they published them, you'd only have to walk the cliff-line of not triggering their filters, while doing just what you describe.

Things MP3.com *COULD* be using to try and catch you:

1. Browsers, by default, send all sorts of crap about what version they are and such-like. Some browsers send less (or more) than than others, but presumably MP3.com *could* be "watching" that normal, expected data is coming to identify the browser.

2. Your IP address, and, if you are being forwarded by a firewall or proxy, that firewall or proxy might, or might not, be providing your true IP address in addition to their IP address which "replaces" yours, by definition, when you pass through a firewall/proxy.

If the preceding paragraph makes no sense to you, just think of an "IP address" as "your secret number" that your computer has which lets you surf the Internet, and everybody you talk to knows it's you, cuz that's your "secret number" at the moment. -- It might be issued temporarily by AOL, or you may have a single IP address that never changes. But, one way or another, that's your number, and the only way you can surf or get your email is if your browser gives that "secret number" out to the sites you visit.

In theory, there's nothing about your "secret number" to give away anything personal or private about you. In practice, web-sites could, and have, "tracked" users which IP they are using at the moment and then traded what they know about "you" with other web-sites. When they get caught, a lot of people yell at them, and sometimes they get sued. Basically, if you want to be realistic, assume that *ANY* personal information you give to a web-site is going into 5 other places, and will eventually be ferreted out by 25 more, and so on. You'll be wrong a lot of the time, since most web-sites don't give away your data, but then you won't feel victimized by the few that do.

You might be "at work" where some IT guru (or maybe an idiot, these days) has configured a "firewall" (never mind what it is, it's just magic) or "proxy" (another kind of magic) that when you ask for an MP3 (or any URL) that "firewall/proxy" maybe replaces your "secret number" and uses its own "secret number" instead. Then, when your MP3 is coming back from mp3.com, it goes to the "firewall/proxy", since that's the "secret number" that was used to request it, and then the "firewall/proxy" knows to forward it to you at YOUR "secret number". That "firewall/proxy" may, or may not, be set up to reveal your IP address ("secret number") to the web-server, but it's sent a different way than "usual" and their web-server may, or may not, be set up to catch it.

Either way, MP3.com gets some kind of IP address of where your request is coming from -- either yours or that of the "firewall/proxy" magic in the middle. Even if it's not really, YOUR IP address, and the "firewall/proxy" doesn't pass on your IP address, MP3.com has at least something they can track and figure out if maybe the requests are coming too much from the same place.

You can see how mind-numblingly easy it is to track IP non-firewalled addresses:
http://l-i-e.com/ip.htm
That "page" has only this line of code in it:
<?php echo $REMOTE_ADDR;?>
Not exactly rocket-science, eh?
I could even spend a few minutes to show your "real" IP address if you are behind a "firewall/proxy" that forwards them, but since some don't, there's not much point to it, and you'll just have to trust me that if your "firewall/proxy" sends the IP address, it ain't that hard for me to catch it. Conversely, if your "firewall/proxy" does *NOT* send it, there's really no way I know of to back-track it. In theory, that's the whole point of what *SOME* "firewalls/proxies" are trying to achieve: Anonymity for the users behind them, be it a large corporation or simply an individual who cares about their privacy.

3. A punch-clock of time when you asked for that MP3.

4. Which MP3 file you are asking for.

5. Oh, yeah -- MP3.com requires *LOGIN*, doesn't it? And they conveniently "forget" who I am every month or so, and I have to go fill out that stupid form with an email, my country, and my ZIP CODE. Grrrrrr. This is almost-for-sure their way of filtering out the more stupid attempts to game the system. Although maybe it's just that their servers are so badly broken they actually do forget who I am... That would be pretty broken indeed, but this *IS* MP3.com we're talking about. Whatever.

6. Whether your "browser" asked for all the other files, like images, JavaScript, CSS and such-like that are referenced in the HTML, or not. If your particular browser always asks for that stuff, and you write a program to "fool" them but don't ask for it, they could conceivably detect that and catch you.

7. Overall trends and statistics of what's downloaded/when by whom.

8. Unique Cookies and/or Unique URLs.

Note that some browsers can be configured to not fetch images, and others simply *CANNOT* fetch images. So, generally, they can't *REQUIRE* you to snag images, unless they want to not support those browsers... But it's MP3.com, and they might choose to do that, if it was more important to use that as a filter for real browsers to detect your hyptothetical scam.

Now, first and foremost, *ALL* of these things, except the punch-clock (#3) and the actual file you asked for (#4) and the stats (#7) can be worked around.

Yes, even the login and zip-code crapola, if you're willing to work at it.

At a minimum, if you want to try it, and expect to get away with it, you'd have to write a script that "pretends" to be a browser and sends the exact same headers that browser normally sends.

First, you'll need to request the LOGIN page, and accept the Cookies they use to track you.

Next, you'll have to store those Cookies, and send them back with every request you make, as well as storing any new/altered cookies they send.

Didja catch that new/altered cookie thing? Take a look at an mp3.com URL sometime in that "Location:" box in your browser. See all that crap? See how, like, there's a great big chunk there of 32 characters that changes all the time? Well, if they *want* to, they can give every single visitor a unique URL for every single page they don't want you book-marking, and send a different cookie on every single HTTP interchange.

Assuming you don't have a billion dollars and thirty year, you'd have to have your script ready and waiting to get that altered/new Cookie data and URL data so you can correctly surf on to the next page. If you try and surf to a previously-issued URL/Cookie -- Busted!

But you don't want to LOGIN *every* time -- Once you have the cookies, you'd just visit, say, a "bookmarked" URL. If you can. Depends on if you need to login every time to start the MD5 Cookie sequence off right. Currently, they don't make you do that... Currently.

[Essentially, you're writing a "fake" web-browser, just like IE or Netscape, and the more like them you can make it, the better.]

You'd want to send the request for the easiest page to get to that has the MP3 link in it.

Then, your program would have to accept their HTML content, and you'd have to check that it was what you expected, and not their confirmation login page, or some other new wrinkle they threw in.

Of course, if they decided (at random, as far as I can tell) to force you to LOGIN again, with your zip-code, you'd want it detect that and automatically send in the requested data, assuming it doesn't have any new wrinkles in the HTML output for that LOGIN page.

Even if it *was* the expected HTML with your MP3 link in it, you'd want to program it to request any referenced JavaScript and CSS files that the browser you are emulating would normally request, to be sure they haven't tracked those requests as a filter.

Finally, you'd want to request the MP3 file, which, by the way, has an ever-changing URL, I think. Look at the actual URL you click on to get your MP3's and see if they don't change over time. Maybe every time, maybe every week, I dunno. Remember that MD5 Hash magic? Yup.

Anyway, to be sure they can't tell it's a computer, you'd have to do all of the above (and probably some more I missed, though I can't see what...)

Next, in order to be sure that they don't catch on that it's a computer, you'd need to time your requests -- A normal human doesn't click *THAT* fast on a link, but a computer will snarf it down right away, unless you specifically write some code to slow it down.

Conversely, your *BROWSER* *DOES* request image files, style-sheets, and JavaScript files almost immediately -- So you'd have to have a timing mechanism that knew what to do with which *KIND* of document.

So, you've done all this work, you've faked them out, that you've listened *ONCE* to the MP3.

Next, you need to repeat all of that, only you need to LOGIN as different users, at varying times, but not too much varying -- IE, if they are tracking that a certain login username "usually" listen 9-5 (at work) or evenings or weekends, but your program seems to be logging in and listening all day every day as that same user, you'd want to avoid that, because it's a dead give-away that you're a computer. You'll have to generate "profiles" of what you think are real usage patterns and have your program follow them religiously, with an occasional anomoly.

If they see that a single user has downloaded the same song over and over and over, and nothing else, that's a dead give-away that you are scamming them.

So, you'd need to be downloading different MP3's like a normal human, and varying up the times like a normal human, while still mostly listening to the artists whose stats you want to drive up.

If you listen to LABEL-X (apologies in advance to any real label with that name...) artists, and only LABEL-X artists, they could probably even notice that, since they have the record label as a field in their database.

Now, I have *NO* *IDEA* if they track all these things, or only some of these things, but I know some things:

*ALL* of these are possible for MP3.com to track, and if I can figure them out, presumably somebody at MP3.com can as well. (Although, sometimes, considering how stupid their Marketing/Promotions department is, and how crappy their User Interface and overall site design is, I have to wonder...)

Odds are pretty good I haven't thought of *ALL* of the things, and there are *MORE*. Way more. I'm not even an Internet Security expert. I only have nibbled around the edges of Internet Security a little bit. Okay, maybe a lot of nibbling. I'm still not a hard-core "expert". And if they've done nothing else right (which is arguable either way) you'd think MP3.com would have enough sense to hire a real hard-core expert, or at least bring one in as a consultant once in a while. Maybe even different ones, to be sure they catch every trick.

If you get caught, it's GAME OVER for that artist forever, at least under that name, on MP3.com They might, if they know for sure you are doing it, publish that fact, which would probably not behoove you to a label. On the other hand, maybe it would, considering the general morals of the major label system.

People *HAVE* been "caught" who were later "found innocent"

I don't know anybody who has been "caught" and will admit to being "guilty" but I presume they exist.

The effort involved in staying ahead of MP3.com on all the things they *MIGHT* be tracking, and the risk involved, and the payoff (or lack thereof) makes this an unlikely (not impossible, but unlikely) activity on a long-term basis.

If LABEL-X can afford to pay me to do all that, and research enough to be sure it will work, LABEL-X has the $$$ to buy up radio time and real advertising for their artists, and that is far, far more lucrative than gaming MP3.com, which, when all is said and done, is *MEANINGLESS* (at this time) to the industry. Yeah, okay, maybe not meaningless. Maybe high stats on MP3.com have gotten some bands a few bones thrown their way. You're talking table scraps compared to the real money, and that's what anybody who has the resources to really game MP3.com should be going after.

You're certainly more than welcome to try it, and I'll even point you to a tool that would make it relatively painless:

http://php.net

and some sample source code that does something *LIKE* the above, only stripped down to the simplest, easiest level:

http://nogenre.com/cdbaby/

(Click on the "Source Code" link at the bottom)

So, in conclusion:

It could be done; it *HAS* been done; and, right now, somebody is probably doing it.
NEW I've been informed that there's even a program "out there" specifically designed to drive up your stats on MP3.com But if you're not smart enough to find it on your own, you'll probably be too stupid to use the software properly anyway, so I won't even say what the name is. 'Sides, I already forgot anyway. I got no interest in it, so why should I remember? I can find it if I have to, but you can work Google, or http://dogpile.com which I like better, as well as I can, so knock yourself out if you think it's a Good Idea (tm). I'll betcha a dollar some of the people using this alleged program are getting caught.

However, some *HAVE* been caught (almost for sure) and others *WILL* *BE* caught, and MP3.com is aware of the issue and taking steps to catch them.

The dubious gains of being on MP3.com charts, compared to the cost of programming something to defeat even the obvious filters listed above, as well as the likelihood of other filters to catch you now and in the future, and, at bottom, the fact that the music industry has *MUCH* easier ways to manipulate your chances of "success", assuming you have no morals in the first place, make the odds that a major label, or even a large "independent" or "major/minor" or "junior major" or whatever we're calling those kind of labels this week, is doing this, rather unlikely. I wouldn't bet money on it either way, though :-)

But it's far more likely that some small, desperate (in the non-pejorative sense) artist/programmer is trying this. Some probably even are getting away with it, if they're smart enough to drive the numbers up in a pattern that truly mimics the way other artists have had it happen, which you would have to deduce with a lot of guesswork. Hey, more power to them. It sure seems less evil to me than major labels buying up all available commercial radio air-time. Me, I'll stick to promoting and advertising in the real-world where I might make some money out of it. I guess I could program such a thing for somebody else, so long as you sign a contract to hold me blameless when they catch you... Nah. I got better things to do than deal with MP3.com stupidity.