Spam NFTs and How to Fix Them
This article explains what a spam NFT is, why they are problematic to NFT dApp developers and users, as well as how to filter spam NFTs using Alchemy's NFT API endpoints and getNFTs filter.
What is a spam NFT?
Spam NFTs are unsolicited Non-fungible tokens (NFTs) that are sent or airdropped to your wallet address that you didn’t purchase and do not want.
Because anyone can send and receive tokens to and from a wallet address on public blockchains, unwanted NFTs will occasionally appear in your wallet.
What is the difference between a spam NFT and an airdropped NFT?
Spam NFTs are free, unwanted airdrops, while free NFTs that are airdropped to your wallet from a project that you support may not be considered spam.
To provide additional value to collectors, some generative NFT collections will create NFTs and airdrop them to collectors. While these NFTs typically have low re-sell value, they can be fun to keep in your collection as it demonstrates your participation in the community.
Why do people send spam NFTs?
People send unsolicited spam NFTs for many reasons including:
- To get the attention of popular NFT collectors
- To embarrass or annoy a wallet owner
- To attempt a phishing attack and steal tokens from wallet owners
- To market a new NFT project
With the growth of the NFT market, spam NFTs have been an increasing problem.
Why are spam NFTs a problem?
Two biggest reasons spam NFTs are problematic is that they’re often used by hackers and they promote a poor user experience for NFT collectors.
Spam NFTs can be used by scammers to lure people into sharing their private keys, signing messages, or confirming a transaction that sends funds to the hacker’s account.
Scammers might airdrop an NFT into wallets with the hopes that the owner will follow a phishing link leading to a scam website. Scammers might then prompt the unsuspecting wallet holder to sign into their Ethereum wallet to approve this transaction and “claim” their free NFT.
Once the wallet signs a transaction, the scammer can drain the wallet's funds and NFTs.
Some of these websites will use eth_sign, an unsafe method that allows arbitrary messages like “send your ether” to be signed and potentially hand over control of your account and assets.
While these scam sites can be incredibly convincing, they often have red flags including using odd language or making promises that seem too good to be true.
The best way to protect your wallet is to never interact with an unknown smart contract. The safest thing to do when you find spam NFTs sitting in your wallet is to ignore them or send them to a burn address.
2. Poor User Experience
Because NFTs are tied to art, utility, and creators, showcasing a collection is something to be proud of, and having spam NFTs in the same wallet as your most valuable NFTs creates a poor user experience.
For developers building NFT analytics tools, galleries, or marketplaces, spam NFTs are also an issue because it can lead to incorrect data, and deceive unknowing users that a project is more popular than it actually is.
To make sure NFT holders and collectors have the best user experience, platforms need to use an NFT API that provides strong spam filters and custom settings.
How does Alchemy's NFT API help with Spam NFTs?
Alchemy’s NFT API can be used to filter spam NFTs using the getNFTs spam filter, the isSpamForContract, and the getSpamContracts endpoints.
The isSpamForContract NFT API endpoint checks if a particular contract has been classified as spam. You can filter for contract addresses, which means you can also look for the owners of a particular NFT and check to see if that’s the only one they own.
The getSpamContracts NFT API endpoint returns the list of all ERC 721 and ERC 1155 spam contracts on the selected chain.
NFT developers using the Alchemy API can also add a filter using the getNFTs API endpoint to filter NFTs that have been classified as spam.
As of August, 2022, the Alchemy NFT API has marked over 5,000 smart contract addresses as spam.
How to Filter Spam NFTs with Alchemy's NFT API
Grabbing NFT metadata usually requires developers to read and parse individual smart contracts, then sort through a sea of irregular data. The Alchemy NFT API normalizes the metadata, and makes it easy to query across different projects. This metadata can then be queried using isSpamForContract and getSpamContracts to filter out spam NFTs.
For example, if an NFT collection has been marked as spam by getSpamContracts then a developer can direct those spam NFTs to a hidden tab to avoid cluttering the user’s wallet. Similarly, if you’re browsing another user’s wallet, a flag can be created using isSpamForContract to show if a particular NFT is spam and if the user has a pattern of sending spam NFTs.
How are spam NFTs classified?
Spam classification has a wide range of criteria that includes but is not limited to emitting fake events and copying other well-known NFTs.
Given a contract address we classify spam by looking at a few things:
- If this contract is ERC721, does this contract egregiously break the ERC721 standard?
- If this contract is ERC721, does it have any transfer during which it broke the ERC721 standard?
- Does this contract mint tokens mostly to honeypots? (e.g. vitalik.eth)
- Does this contract egregiously lie about its total supply?
- Is the contract metadata a copycat of another NFT collection?
Some examples of these classifications include:
- Does the ERC721 contract have a lot of duplicate tokens?
- Does the ERC721 contract transfer a token to more than one recipient?
- Is running totalSupply() on the contract vastly different from the empirical number of tokens in circulation?
If any of these criteria are satisfied, Alchemy will mark an NFT as spam.
If your smart contract was either incorrectly marked as spam, or if you identified a spam NFT contract address that bypassed the spam filters, please report it to the Alchemy NFT API team via Discord and we will update the NFT spam filters.
How to Burn Spam NFTs on Ethereum
To burn spam NFTs, send them to a burn address such as the "0xdead" address 0x000000000000000000000000000000000000dEaD.