Spammers harvesting emails from Twitter - in real time

Spammers harvesting emails from Twitter - in real time

Summary: Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter's users in real-time.

SHARE:

Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter's users in real-time.

Basically, the search query consists of common phrases such as "email me at" and "contact me at" in a combination with a domain of a spammer's choice.

The result? A flood of valid and fresh email addresses of Twitter users unaware that their emails will not only get indexed by public search engines, but also, that the output can be syndicated for spamming purposes.

From theory into practice - a day after the tactic was discussed a proof of concept script was released, even though it should be logical to assume that the practice has been taking place for a while now.

Email harvesting has been around since the early days of the Internet, and has therefore greatly evolved throughout the years. From the JS.Yamanner@m worm spreading through a Yahoo Mail flaw in 2006, harvesting @yahoo.com emails from the infected indoxes in order to further propagate, the email harvesting scripts crawling the web and their modern versions, to the Web 2.0 spammer's mentality of harvesting instant messaging and social networking user names - their database usually ends up as value-added service in a managed spam vendor's proposition.

In Twitter's case, their TOS states that:

  • You are solely responsible for your conduct and any data, text, information, screen names, graphics, photos, profiles, audio and video clips, links ("Content") that you submit, post, and display on the Twitter.com service

And whereas that should be the case, what Twitter can do to at least slow down this efficient email harvesting approach, is to either allow its users to choose whether or not they would like to have their emails/phone numbers obfuscated (reCAPTCHA Mailhide), or enforce the policy to all users.

Topics: Collaboration, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • People still get spam??

    I think Gmail has made spam irrelevant, but let's test it and see.

    brett@brettschulte.com

    http://twitter.com/brettschulte/status/1789431680
    brett@...
    • Go anything yet?

      I have several gmail accounts and one of them I never gave that account to anyone to see what I get from spammers and still get spam in that account.
      I get about 10 spam messages a day in that un-published account to see what I get gmail as a baseline relative to other accounts and other domains. I run my own mail server at work and I use these results from gmail to tune my mail server.
      Again show us what you get.
      phatkat
    • Yes, people still get spam

      I frequently find legitimate mail in my gmail spam folder. Do you really think gmail is perfect???? Helloooooo! You have to review your spam folder.
      dpatjhh
      • Gmail's spam filter

        100% of the mails in my Spam folder are, well, spam. 548 of them, at last count. Yes, Gmail does seem to be doing a good job at fighting spam...
        vallab444
    • You had to go and say that, didn't you!

      As someone who owns/administers a number of domains I get quite a
      lot of spam - something like 1000 message a day. Almost all of it is
      dealt with by various spam filters. Of course if someone asks if you've
      received a message and you have to check your spam-trap, well that's
      a whole other ball game!

      However today - pretty much since you made that statement, actually
      - I'm seeing insane levels of spam. The message count in the spam-
      trap is increasing at about 10/minute, which, if it continues at the
      current rate, will come out at 15,000 messages a day.

      Hope you're not paying too much for your little test - note that once
      they have your email, they hang onto it for years.
      David Hamilton
    • As long as there is 'Outbreak'

      There will be PLENTY of spam.
      comp_indiana
  • Fools plaster private data on a public domain PERIOD!

    Only a fool puts private data, pictures on a public domain for the world to see and manipulate ANYWAY they want to with no recourse.

    They will learn the hard way when you spew your private life it is fair game.
    Christian_<><
    • Not Todd Davis, eh?

      Not that Todd Davis has to say anything about that.
      However, you are correct they you shouldn't put any of your personal information on the internet since all of the identity thieves are just loving for doing that.
      phatkat
      • The concept of Identity must be changed

        It isn't the people who put information on the internet that is the problem. It's the poor identity and authentication practices of institutions that deal with our data.

        A birth date, mothers maiden name, or any other personal information should [b]NEVER[/b] be used to confirm identity.

        This is as old as password security. Anything personal is inherently insecure because another organisation has that information. How many TV hackers use the executive's kid's name (or some other personal information) as the password. Hell it's such a cliche even The Watchmen movie used it.

        Any executive assistant knows enough about their boss to pass this identity test.

        Fight any institution that tries to use personal information as an identity check, because it lulls the punters into a false sense of security.
        paulzag
  • RE: Spammers harvesting emails from Twitter - in real time

    What bothers me the most about Twitter's search feature is that once a tweet has been posted to the public timeline, it can't be removed from it. It can be deleted, but it will still show up in the public timeline for weeks to come.

    As a proof of concept, I refer you to my earlier blog post on the subject at:
    http://blog.drinfosec.com/2009/03/truth-about-twitter-search.html
    veltsos@...
    • Try deleting something from the internet then...

      How can you be bothered by this "feature" when google never forgets?

      When will people start taking responsibility for their actions?

      I challenge you to make a blog post, wait for it to appear on Technorati or your favorite ping service, then delete your post. Once it's been indexed it is online forever.

      So don't publish, update, ping, poke, status, or send anything you wouldn't want your mother, boss or customer to see. Sign your name or nick to everything to remind you that EVERYTHING is public. That includes all the so-called "personal" information everyone is crying wolf about.

      Lastly pressure governments and institutions to stop using personal information as a proxy for identity.
      paulzag
  • RE: Spammers harvesting emails from Twitter - in real time

    I think it's never a good idea to post one's e-mail adresse publicly, neither on Twitter nor elsewhere.
    datadirt
  • RE: Spammers harvesting emails from Twitter - in real time

    Amazon is a great place for harvesting emails. They
    forward all seller inquiry messages to the seller's
    email address. Maybe this will get them to finally
    fix this.
    BlackIPs
  • Spammer harvesting.

    Come on children. If you really want to put a stop to it, develop the mindset not to patronize any company that sends spam. Then you also have to help cultivate that same mindset in your family members, and so on and so on. Eventually the money trial will stop and spamming will become obsolete.
    jskline0@...
    • exactly

      Stop using products that are spammed, and fine the product manufacturer who makes the product, and spam will cease to exist.
      Regardless of how legitimate a company wants you to believe they are, people don't spam because they like a product, they spam because they are being paid.
      NO company hands over money for advertisement without knowing exactly what that money wil be buying, so they know what is happening, make them pay and it will stop.

      Ken.
      merc2dogs`
    • Foolish Statement

      What??? Do you have the list of non-spamming websites? Potentially just having an e-mail address is enough to receive spam. Yes avoiding obvious websites like free porn for just giving your e-mail address, or sites that give away free computers, cameras etc. Are EASY to avoid. But as things stand here in the real world, there is no such thing as a SPAM free world just because you avoid sites that you "think" don't spam nor sell your information. As I mentioned in an earlier post if you have a Spam filter that is catching Spam before it reaches your In Box you are still being SPAMMED... Meaning apparently you patronized a company that sends spam..
      Timewellwasted
      • Yes you've made a foolish statement

        You don't need to post your details or have some website sell your email address to receive spam.

        If your address is in someone's address book that can be harvested.

        If your email account name @domain is common it will be brute forced. john[a-z]@ domain gets spammed if the account exists or not.

        Filters are the ONLY solution in the current environment
        paulzag
      • Yes you've made a foolish statement

        You don't need to post your details or have some website sell your email address to receive spam.

        If your address is in someone's address book that can be harvested by malware or a bad CC.

        If your email account name @domain is common it will be brute forced. e.g. john[a-z]@ domain gets spammed if the account exists or not. That's easier than harvesting an email.

        Filters are the ONLY solution in the current environment.
        paulzag
        • Complete idiot...

          What a twit. You are responding like I am not aware of these types of problems! I responded to someones comment that stated if everyone avoided companies that send spam we will all become spam-free!

          So you are barking up the wrong tree junior.
          My REPLY was far from foolish and is right in line with your comments, so apparently you just enjoy slamming people for explaining that avoiding websites that send spam is NOT going to stop the SPAM. Again, something a twit would do. It takes all kinds...
          Timewellwasted
          • Does name-calling normally get results for you?

            I quote your post
            [i]As I mentioned in an earlier post if you have a Spam filter that is catching Spam before it reaches your In Box you are still being SPAMMED... Meaning apparently you patronized a company that sends spam[/i]

            You are contradicting yourself.

            Spam does not depend on whom you patronize.

            Calling me names behind an anonymous nick says more about you than me. The "junior" quip was somewhat flattering.
            paulzag