On The Insider: Taylor Lautner Plays Beach Football
BNET Business Network:
BNET
TechRepublic
ZDNet

May 13th, 2009

Spammers harvesting emails from Twitter - in real time

Posted by Dancho Danchev @ 3:37 pm

Categories: Browsers, Privacy, Social Networking Applications, Spam and Phishing, Web 2.0

Tags: Spammer, Twitter, E-mail, Spam, Online Communications, Security, Spam And Phishing, Dancho Danchev

Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter’s users in real-time.

Basically, the search query consists of common phrases such as “email me at” and “contact me at” in a combination with a domain of a spammer’s choice.

The result? A flood of valid and fresh email addresses of Twitter users unaware that their emails will not only get indexed by public search engines, but also, that the output can be syndicated for spamming purposes.

From theory into practice - a day after the tactic was discussed a proof of concept script was released, even though it should be logical to assume that the practice has been taking place for a while now.

Email harvesting has been around since the early days of the Internet, and has therefore greatly evolved throughout the years. From the JS.Yamanner@m worm spreading through a Yahoo Mail flaw in 2006, harvesting @yahoo.com emails from the infected indoxes in order to further propagate, the email harvesting scripts crawling the web and their modern versions, to the Web 2.0 spammer’s mentality of harvesting instant messaging and social networking user names - their database usually ends up as value-added service in a managed spam vendor’s proposition.

In Twitter’s case, their TOS states that:

  • You are solely responsible for your conduct and any data, text, information, screen names, graphics, photos, profiles, audio and video clips, links (”Content”) that you submit, post, and display on the Twitter.com service

And whereas that should be the case, what Twitter can do to at least slow down this efficient email harvesting approach, is to either allow its users to choose whether or not they would like to have their emails/phone numbers obfuscated (reCAPTCHA Mailhide), or enforce the policy to all users.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 37 Talkback(s)
I HOPE YOU'RE STILL HERE PAUL
Look, I was just going to let this subject fade away, BUT I have to call you out on something. You challenged me to open a gmail account and to not use it. The idea was to prove your point about how s... (Read the rest)
Posted by: Timewellwasted Posted on: 06/12/09  (Edited: 06/12/09 @ 10:48) You are currently: a Guest | | Terms of Use
People still get spam??  brett@... | 05/13/09
Go anything yet?  phatkat | 05/18/09
Yes, people still get spam  dpatjhh | 05/19/09
Gmail's spam filter  vallab444 | 05/19/09
You had to go and say that, didn't you!  David Hamilton | 05/19/09
As long as there is 'Outbreak'  comp_indiana | 05/19/09
Fools plaster private data on a public domain PERIOD!  Christian_<>< | 05/13/09
Not Todd Davis, eh?  phatkat | 05/18/09
The concept of Identity must be changed  paulzag | 05/21/09
RE: Spammers harvesting emails from Twitter - in real time  veltsos@... | 05/14/09
Try deleting something from the internet then...  paulzag | 05/21/09
RE: Spammers harvesting emails from Twitter - in real time  datadirt | 05/14/09
RE: Spammers harvesting emails from Twitter - in real time  BlackIPs | 05/15/09
Spammer harvesting.  jskline0@... | 05/18/09
exactly  merc2dogs` | 05/18/09
Foolish Statement  Timewellwasted | 05/20/09
Yes you've made a foolish statement  paulzag | 05/20/09
Yes you've made a foolish statement  paulzag | 05/21/09
Complete idiot...  Timewellwasted | 05/21/09
Does name-calling normally get results for you?  paulzag | 05/21/09
YES  Timewellwasted | 05/29/09
RE: Spammers harvesting emails from Twitter - in real time  martin.english | 05/18/09
Again, GMAIL IS SAVING YOU FROM YOURSELF  Timewellwasted | 05/20/09
Nonsense  paulzag | 05/21/09
Nonsense is Correct  Timewellwasted | 05/21/09
Spam comes from many sources  paulzag | 05/22/09
Two quick comments.  Timewellwasted | 05/30/09
I HOPE YOU'RE STILL HERE PAUL  Timewellwasted | 06/12/09
RE: Spammers harvesting emails from Twitter - in real time  ceo255 | 05/18/09
Spam is not like postal Junk Mail  paulzag | 05/21/09
RE: Spammers harvesting emails from Twitter - in real time  artman3rd@... | 05/18/09
RE: Spammers harvesting emails from Twitter - in real time  trm1945 | 05/18/09
Like most people this is a non-issue  paulzag | 05/19/09
RE: Spammers harvesting emails from Twitter - in real time  atari8bit@... | 05/19/09
RE: Spammers harvesting emails from Twitter - in real time  BillDrew | 05/19/09
RE: Spammers harvesting emails from Twitter - in real time  PsiCoRe | 05/20/09
RE: Spammers harvesting emails from Twitter - in real time  Timewellwasted | 05/20/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here