Spammers harvesting emails from Twitter - in real time
Summary: Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter's users in real-time.
Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter's users in real-time.
Basically, the search query consists of common phrases such as "email me at" and "contact me at" in a combination with a domain of a spammer's choice.
The result? A flood of valid and fresh email addresses of Twitter users unaware that their emails will not only get indexed by public search engines, but also, that the output can be syndicated for spamming purposes.
From theory into practice - a day after the tactic was discussed a proof of concept script was released, even though it should be logical to assume that the practice has been taking place for a while now.
Email harvesting has been around since the early days of the Internet, and has therefore greatly evolved throughout the years. From the JS.Yamanner@m worm spreading through a Yahoo Mail flaw in 2006, harvesting @yahoo.com emails from the infected indoxes in order to further propagate, the email harvesting scripts crawling the web and their modern versions, to the Web 2.0 spammer's mentality of harvesting instant messaging and social networking user names - their database usually ends up as value-added service in a managed spam vendor's proposition.
In Twitter's case, their TOS states that:
- You are solely responsible for your conduct and any data, text, information, screen names, graphics, photos, profiles, audio and video clips, links ("Content") that you submit, post, and display on the Twitter.com service
And whereas that should be the case, what Twitter can do to at least slow down this efficient email harvesting approach, is to either allow its users to choose whether or not they would like to have their emails/phone numbers obfuscated (reCAPTCHA Mailhide), or enforce the policy to all users.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
People still get spam??
brett@brettschulte.com
http://twitter.com/brettschulte/status/1789431680
Go anything yet?
I get about 10 spam messages a day in that un-published account to see what I get gmail as a baseline relative to other accounts and other domains. I run my own mail server at work and I use these results from gmail to tune my mail server.
Again show us what you get.
Yes, people still get spam
Gmail's spam filter
You had to go and say that, didn't you!
lot of spam - something like 1000 message a day. Almost all of it is
dealt with by various spam filters. Of course if someone asks if you've
received a message and you have to check your spam-trap, well that's
a whole other ball game!
However today - pretty much since you made that statement, actually
- I'm seeing insane levels of spam. The message count in the spam-
trap is increasing at about 10/minute, which, if it continues at the
current rate, will come out at 15,000 messages a day.
Hope you're not paying too much for your little test - note that once
they have your email, they hang onto it for years.
As long as there is 'Outbreak'
Fools plaster private data on a public domain PERIOD!
They will learn the hard way when you spew your private life it is fair game.
Not Todd Davis, eh?
However, you are correct they you shouldn't put any of your personal information on the internet since all of the identity thieves are just loving for doing that.
The concept of Identity must be changed
A birth date, mothers maiden name, or any other personal information should [b]NEVER[/b] be used to confirm identity.
This is as old as password security. Anything personal is inherently insecure because another organisation has that information. How many TV hackers use the executive's kid's name (or some other personal information) as the password. Hell it's such a cliche even The Watchmen movie used it.
Any executive assistant knows enough about their boss to pass this identity test.
Fight any institution that tries to use personal information as an identity check, because it lulls the punters into a false sense of security.
RE: Spammers harvesting emails from Twitter - in real time
As a proof of concept, I refer you to my earlier blog post on the subject at:
http://blog.drinfosec.com/2009/03/truth-about-twitter-search.html
Try deleting something from the internet then...
When will people start taking responsibility for their actions?
I challenge you to make a blog post, wait for it to appear on Technorati or your favorite ping service, then delete your post. Once it's been indexed it is online forever.
So don't publish, update, ping, poke, status, or send anything you wouldn't want your mother, boss or customer to see. Sign your name or nick to everything to remind you that EVERYTHING is public. That includes all the so-called "personal" information everyone is crying wolf about.
Lastly pressure governments and institutions to stop using personal information as a proxy for identity.
RE: Spammers harvesting emails from Twitter - in real time
RE: Spammers harvesting emails from Twitter - in real time
forward all seller inquiry messages to the seller's
email address. Maybe this will get them to finally
fix this.
Spammer harvesting.
exactly
Regardless of how legitimate a company wants you to believe they are, people don't spam because they like a product, they spam because they are being paid.
NO company hands over money for advertisement without knowing exactly what that money wil be buying, so they know what is happening, make them pay and it will stop.
Ken.
Foolish Statement
Yes you've made a foolish statement
If your address is in someone's address book that can be harvested.
If your email account name @domain is common it will be brute forced. john[a-z]@ domain gets spammed if the account exists or not.
Filters are the ONLY solution in the current environment
Yes you've made a foolish statement
If your address is in someone's address book that can be harvested by malware or a bad CC.
If your email account name @domain is common it will be brute forced. e.g. john[a-z]@ domain gets spammed if the account exists or not. That's easier than harvesting an email.
Filters are the ONLY solution in the current environment.
Complete idiot...
So you are barking up the wrong tree junior.
My REPLY was far from foolish and is right in line with your comments, so apparently you just enjoy slamming people for explaining that avoiding websites that send spam is NOT going to stop the SPAM. Again, something a twit would do. It takes all kinds...
Does name-calling normally get results for you?
[i]As I mentioned in an earlier post if you have a Spam filter that is catching Spam before it reaches your In Box you are still being SPAMMED... Meaning apparently you patronized a company that sends spam[/i]
You are contradicting yourself.
Spam does not depend on whom you patronize.
Calling me names behind an anonymous nick says more about you than me. The "junior" quip was somewhat flattering.