Twitter seems to be deliberately encouraging spam accounts

[jducoeur]

Okay, the only way to get a rise out of anybody these days seems to be embarrassing companies on social media. Let's see if Twitter is paying any attention.

One of my domains has a long-standing but rapidly growing problem with Twitter Spammers. Specifically, some jackass has decided to use my personal domain to create lots of fake accounts on Twitter. This used to be only occasional, but I got three of them today, all pretty bloody obvious: I got confirmation emails to "hiv3s7@w***.org", "wrig7ryv@w***.org" and "wrig2px@w***.org". Of course, none of these are real emails, but they all land in my inbox since I own the domain. And the hell of it is, I can do *nothing* to shut these fraudsters down!

Seriously, this is where, as far as I can tell, Twitter is simply giving a gigantic f-u to anyone who owns a domain. The *only* thing I can do is to respond individually to each of these and say "this isn't my email address". That doesn't actually shut down the spammy twitter account -- I can't even say, "I own this domain, and I am 100% certain that this is an attempt to spam". There is absolutely nowhere I can find on Twitter's Help system to let me say, "my domain is being attacked through you; stop allowing people to sign up through w***.org", and there is no sign that they are noticing that every attempt to sign up via w***.org is being rejected and gee, maybe they should learn something from that.

It's getting to the point where I'm thinking of writing Twitter off as a bad idea, and simply spam-boxing all email from it, rather than trying to be helpful. I wish I had the slightest indication that they actually cared in the slightest about their users...

Comments

[laurion]

Most people stopped accepting emails to invalid addresses a long time ago for this reason. Twitter isn't the first, and probably isn't the last. You must have a setting there that is a catch-all or wildcard that is accepting these emails and dropping them in your inbox. I bet if you were to stop accepting wildcards and start bouncing them, not only would you stop seeing these spammy messages, but twitter would know these accounts were using fake email addresses and could shut them down.

[jducoeur]

The problem, of course, is that the entire *point* of this domain is to allow me to give out addresses in a straightforwardly controlled way; it's the domain I use when an untrusted recipient demands an email address, so I can track their usage. I've been using it that way for over 15 years now, and this is the first time I've had a problem like this.

You're probably correct about the way Twitter assumes the world works, and the truth is that this probably wouldn't burn my butt so much if they at least gave me a way to say, "I am certain, no shit, that this address is a spammer". That is, at least give me a freaking *manual* way to declare that they have reached an invalid address. Catch-all inboxes are not so rare as to make that an unreasonable desire. (Heck, most ISPs I've worked with still explicitly offer them, front and center.)

But not only do they not do that, I've begun to see occasional emails *other* than confirmations for these spam accounts, which leads me to believe that they aren't sufficiently careful about checking confirmations first. The confluence of these is starting to really piss me off...

[laurion]

I can do the same thing without catching wildcards. It's a part of the email spec that you can add '+foo' to your email address and have it still be valid. So if I were to tell you to always email me at 'laurion+jducoeur@domain' it will come to my laurion@domain address, but I can at a glance see that it is from you, filter on it, see if you've given that to someone else, et cetera. This gives tools like Twitter the ability to strip that 'tag' and see if the address is already in use.

But if you're going to have a catch-all, twitter has no real way of knowing that these aren't real addresses the spammers are creating. Unless it gets bounced back to them, it -is- a real address. And given how the namespaces at gmail and yahoo and other mail providers fill up, who are they to say that "wrig2px@w***.org" is a spammy address? I don't think Twitter is in the wrong here, nor is it their place to maintain a blacklist or whitelist of acceptable domain names for email. Just like the cable company isn't responsible for deciding whether or not you see a commercial, you choose to turn off the TV or leave it on and receiving adverts.

Now if there are other emails being sent by twitter other than the confirmation email, then that is on their heads. Until that confirmation loop is closed they should refuse to engage in any additional 'dialogue'.

[jducoeur]

It's a part of the email spec that you can add '+foo' to your email address and have it still be valid.

It's a beautiful theory, and I use it in Gmail from time to time. But in practice, a surprisingly large number of websites (I'd guess a quarter of the times I've tried it) disallow "+" in email addresses, despite the fact that it's explicitly legal in the spec. That's one of the main reasons I still tend to use my own domain: the "+" trick fails too often in my experience.

And mind, your advice is essentially telling me to close the barn door decades after the horses got out. This sort of catch-all was routine when I started using this domain (indeed, it was one of the primary selling points of my original ISP), and I have given out *hundreds* of these. I can't just close the door without bouncing large amounts of legitimate email.

As for Twitter, like I said, my real complaint is that they provide no way to say, "This account is fake", *and* they have a bad habit of sending emails other than confirms to these fake accounts. Seriously -- this is not hard to fix. And the spammers wouldn't be abusing it so badly if Twitter simply provided a halfway-adequate way to shut them down efficiently, the way every other site does. The damned system shouldn't allow you to do anything significant until the email has been validated; if they simply put in that bog-standard procedure, this problem would probably vanish.

Twitter is the *only* site that has this problem, as far as I've ever encountered, and it leads me to believe that their procedures are broken. If they didn't require an email address, I wouldn't be deluged with these fakes. If they *required* validation of the email address, the attempts would simply fail, and the spammers would mostly stop trying that tack. AFAICT, the problem is that they demand an email address, but don't actually make that demand stick, so spammers get benefit from it...

[laurion]

I'm not suggesting you close the barn door entirely. I'm saying that you can't blame Twitter entirely for leaving the door open. What you do about it is your choice. You could add filters. You could make separate accounts and turn off catch-all. You could do nothing at all and deal with things as they are. But the choice is yours, and so it is wrong to lay all the blame at Twitter's feet and say there is *nothing* you can do.

But yeah, you shouldn't be able to do anything meaningful with an account until the loop is closed. I think direct messages sent to a twitter account forward to email by default, is that what is being abused?

[jducoeur]

I'm honestly unsure -- I now can't find the email from the other day that suggested that one of the fake accounts had managed to do *something* real -- but they certainly aren't shutting down the accounts. I'm still getting those annoying "Today in Twitter" messages to one of the early fake accounts in my Spam box, despite having never validated it -- far as I can tell, if I don't *actively* say that the account is wrong, Twitter proceeds to spam the account forever. And there is no apparent way after-the-fact to turn it off, having thrown away the initial validation email. (I may need to go through the whole password-reset song and dance to get control of them, and even then I suspect there's no easy way to say, "This account is fraudulent".)

[laurion]

Ah, of course they'll use an unconfirmed email address that a spammer set up so they can spam you themselves. Does seem to be piggybacking on someone else's malicious intent. That's a shame.

Back in the Eudora days I could 'bounce' a message back to the sender and it would look like an undeliverable email. Looks like that's no longer a feature in mail programs. That was my first thought for trying to communicate back to Twitter without that initial confirmation email. Would be work, but dancing a three minute bransle is less painful than a 20 minute password reset galliard.

[jducoeur]

Hmm -- intriguing idea, although I have no idea whether it's even possible via Gmail. (Which is where all of this is landing.)

[jducoeur]

Hmm -- looks like it's doable, but requires a not-cheap third-party plugin. I'll have to ponder whether it's worth it...

[serakit.livejournal.com]

While I have no idea about the technology involved here, I just had to say that I went all *squee* over the dance metaphor.

[mrf-arch.livejournal.com]

Since "popularity" and "influence" in the Twitterverse are accounted by number of followers, I suspect Twitter has less motivation to care about preventing spam accounts than other social media might.

[dlevey.livejournal.com]

You mean to say that Twitter was ever a *good* idea?

If they are permitting account creation and use without explicit confirmation (and, at the least, sending non-confirmation email to the addresses suggests that this is the case), then they are actively facilitating spam. There isn't really a grey area here.

Sadly, many otherwise-legitimate companies define spam as "that which we do not do." Looks like Twitter is now one of them.