Saturday, January 8, 2011

The background of Facebook's invitation spam

During the last months the spam traps at NiX Spam received thousands of unrequested Facebook invitations. As they are unsolicited bulk mails these are spam. But Facebook did not recognize the problem until Return Path got involved.

Prologue
Between January 2nd and January 4th the spam traps at NiX Spam received more than sixthousand Facebook invitations from a person calling herself "Anna Love". For most of these invites we created an Abuse Report (ARF) as defined in RFC 5965. They were sent to domain@facebook.com which is the abuse contact according to the WHOIS database. The reaction to the ARF reports are zero. Neither they reacted on the reports, nor did they shutdown the user account. So the spam was flowing.
This huge amount of spam led to a blacklisting of 33 IPs on January 4th. And only naming the five most annoying.

The story
Normally a listing of such a big company leads to many delisting requests and sometimes even insults. At 7 pm (CET) on January 4th Sarah from Return Path requested the delisting of 9 different IPs and she brought the justification "increased volume".
That puzzled me. Why is Return Path requesting delisting of Facebook IPs? And what does she mean with increased volume? So I wrote her and asked for an explanation. I got none, but she asked me how we define spam and if the messages that are being complained on are the only factors on which we added Facebook to the blacklist. That made me think that Return Path received all the Abuse Reports sent to Facebook; or how else could she know about the complained messages?
I answered her that we define any unsolicited mail sent to our traps as spam. But not every spam mail leads to a blacklisting. But having more than 6000 unwanted mails from Facebook in the inbox this is a sufficient condition to block Facebook. And as mentioned we complained on most of these mails.
But after sending this answer to Sarah I got no response. Not even until now.
In the meantime Bert from NiX Spam twittered that Return Path removes blacklistings to allow Facebook to send more spam. And Return Path answered that they are confused as they are not in charge for Facebook.
So we had to clarify this via Email, explaining the situation and asking for more information. The outcome of a back and forth mailing between Neil S. from Return Path and "KP" from Facebook's delivery team is, that Return Path is not related to Facebook but they removed IPs from the blacklist as a service: "Along the way, we may request a delisting if the DNSBL has
such facility."
KP assumes that we have a Catch-All spam trap that accepts any mail. And because of that it was possible to send so many invites.
Bottom line is that someone knows about manitu's spamtraps and is using them to send a bunch of invite spam that would not be possible for users with single addresses.
Strange. What is the difference between single addresses and Catch-All spam traps? I can't see any. The opposite is true. Every delivery request from Facebook to the spam trap is rejected with something like "550 user unknown". Does this trigger a mechanism as "If one mail bounces try it even harder"?
What makes me think so? The Anna Love invitation spam started in October, and we ignored that spam wave (except REJECTing mails and sending ARFs). The next wave of reminder mails reached us in December, and we also ignored that (but REJECT and report). A normal Email Service Provider would see the rejections and reports as a problem at the receiver's side and disallow any other mailing to that non existent recipient.
I have to say that we do not operate one Catch-All domain. There are more than one hundred of them. And the problematic Facebook account managed to write to tens of them.
Later KP from Facebook really found out that "Anna Love" is the abusive user. And he constitutes
It was a single account ("Anna Love") created out of St. Petersburg that sent about 3 million invites since November.
Wow. That's impressive. And nobody notices that at Facebook earlier? KP assumes that this was an attack on the blacklist because it only affected DE top level domains and the Anna Love account "did not promote anything". But that definitively was no attack. To attack the spam traps it needs 3 million mails in a few hours. The total amount of unwanted messages we received from Facebook from November until now are "only" 22,000. And as they are not only from "Anna Love" but from many others, too, there must be other victims of Facebook invitation spam.
The best guess I could give is that this was a test run for a new spamming opportunity. What's easier than creating a Facebook account and use the Facebook infrastructure to bypass all spam filters as Facebook is on so many whitelists. And yes the invitation spams promote something: The Anna Love profile (and of course Facebook itself). The next spam run will probably promote the profile of "Dr. Sarah Miller" who is working at "Canadian Pharmacy". I'll bet so.
If you now think Facebook does something about that special account I can tell you that they don't do it consequently. The account may be closed (not checkable from our side) but the outgoing message queue is still full of those invites. Here only one example of which they are still blacklisted: http://zy0.de/q/66.220.144.164

Epilogue
What do we learn from that?
  1. Return Path does request delisting from blacklists if they can and they reconcile between senders and blacklisting providers. That's a very good idea as long as they can solve the problem of spamming. In this case they can't but it's not the fault of Return Path.
  2. Facebook limits the mails that can be sent to a Non-Facebook-Address to 3 (one invite and two reminders). What they don't say is if that's a limit per account or an overall limit. But what they definitively don't limit is the number of (possible) new members one account can contact.
  3. We also see that they don't check the SMTP error codes. If they do then subsequent mails to the same address shouldn't be possible. Or at least the alarm bells should ring when thousands of invitations from one account couldn't be delivered.
  4. We also notice that closing one account does not mean that they clean the outgoing message queue of mails from the deleted account.
There is something else you can read between the lines: Nobody else cares about the blacklisting of Facebook at NiX Spam. Sarah from Return Path was the one and only person that requested delisting.

Conclusion
There are many possibilities for Facebook to get around the delivery problems they are facing after being blacklisted. The best and sophisticated method is to monitor the deliverability of outgoing mails, limit outgoing mails and implement a good Abuse Desk that surveys and handles Abuse Reports.
The simplest way is to separate the outgoing mail servers into two groups. The one group is responsible for sending invites (to unverified recipients) and the second group for everything else like newsletters, updates and the like (to Facebook users).
This would allow recipients to decide how to handle the one (reject) and the other (accept).

Update (Jan 09, 2011)
I've got the information that the correct email address to report Facebook spam is spamreport@facebook.com. So from now on all ARF reports go to that address. Hope that helps.
@Facebook: The address should be updated in the WHOIS database.

Update 2 (Jan 10, 2011)
The complete Facebook range is on the Whitelist again. The spam suddenly stopped. Though not completely, but it is now at the "normal" rate again. But the whitelisting will be revised at the next excessive spam boost.

1 comment:

Joe Sniderman said...

Still curious why ReturnPath thought "increased volume" would be a good reason for delisting. Asking yall about your definition of spam seems puzzling to me as well - Were they hoping that "that which our clients do not do" would be the answer?

Not sure that a responsive abuse desk would really solve the problem however:

Allowing those invites to be sent to someone who definitely hasnt requested them, but who might be friends with the requester, is the problem.

Resending them automatically if they bounce, or even if the recipient just decides to delete - makes it worse.

Facebook dropping that nasty practice in its entirety would be the ideal approach IMHO.

Oh and FWIW attempting to share on ones facebook wall the link to facebook postmaster page that shows the outbound IPs - gets blocked by facebook. irony eh.

Please do keep up the good work. : )