spam – Stay N Alive

Facebook Kills More Spammy Apps With New Policy Changes

A common technique used by developers to promote their apps very quickly on Facebook has been to tag all of a user’s friends in a photo.  I’ve complained about this before.  If you visit my Facebook Profile and look at the “photos of Jesse” section you’ll notice a few of these.  They’re usually a single image with a bunch of peoples’ photos, saying something like “people who have visited your profile”, or “your top friends”.  Often they’ll add a link in the comments back to the app to get more installs.  Just now, Facebook announced they’re trying to put an end to this practice with the introduction of new policies to their platform.

The most significant change involves this method of spamming a user’s friends through the photo tagging feature in the API.  Previously, any developer could take a list of a user’s friends without the user’s permission and tag them all on behalf of that user, to get their attention. As of today that’s no more – now developers must explicitely ask the user’s permission for each friend individually before tagging them in a photo on their behalf.  This significantly reduces the potential spamminess of this API call, and I’m sure many people will see much less of this photo spam in their inbox.

The second big change Facebook is enforcing involves the number of spammy wall posts you may be receiving on your Facebook wall.  Right now if you visit my Facebook wall you’ll notice several apps have posted there.  Most of these apps have not been given my permission to do so, but, because I’m friends with the individual that used the app, I’m subject to it sharing to my wall.  Much of this was due to the ability for developers to present a list of multiple friends at the same time that a user could select from and post to their wall.  The app would say something like, “post to 10 friends’ walls and get 10 points towards your garden”, the user would be encouraged to spam their friends, and more spam would appear on the walls of those users.

Now, Facebook is requiring developers to only invite one friend at a time.  No longer will users be able to select from a list of multiple at a time to spam their friends.  Also, users must explicitly have approved the app to publish that entry.  I expect much less spam will result.

Of course, all of this is dependent on Facebook’s enforcement of the measures, but Facebook is known to be pretty good at this.  Even as a developer, I welcome the new rules and the potential of a cleaner Facebook.  Let’s hope this improves the overall environment.

Please Do Twitter a Favor and Join SocialToo

Today we announced on the SocialToo blog that we’ve enabled our phishing protection for all 60,000+ SocialToo users (and many, many more to come). This project means a lot to me, as it means the more people that use it, the fewer phishing DMs will be received, links won’t be clicked, passwords won’t be shared, and accounts won’t be compromised. The more I can help prevent this from happening, I think the better for the web in general.

In total, SocialToo has blocked near 200,000 total spam DMs sent to our users, and over 25,000 of those were malicious, phishing, and trapped automatically by our filters. 5,000 of those were just since enabling it on all accounts. That’s 25,000 dms that could have been collecting your Twitter credentials, could have compromised your account, and could have spread further by compromising your account. This service is powerful.

The service gets enabled automatically for any user that just logs in with their Twitter credentials at Of course, I’d love it if you tried our other features, set up some filters, maybe tracked who followed you and stopped following you the previous day on Twitter, but more than anything I want you to help the web in general by eradicating these pesky dms! Each dm we detect gets deleted from your Twitter account, often before you can see it in your favorite Twitter client, doesn’t get sent in our DM e-mails (found on your Filters page), and a message is sent on your behalf to @spam also notifying Twitter of the compromised account.

Please, if you haven’t had reason to join SocialToo yet, now is the time. This is your opportunity to, just by logging in, help make Twitter a cleaner place. Be sure to check out Louis Gray’s experience with this service on his blog – I think he too has had similar experience in seeing the success of having this enabled.

Oh, and stay tuned, other than this and our new design launch, we’ve got some more really big news coming tomorrow that I think you’re going to really like.

Image courtesy

Twitter, The New Micro-Spammer and the Need to Fix CAN-SPAM

Marketers seem to never learn.  Time and time again they have tried to sacrifice loyal relationships with customers in order to take the easy road in hopes to get the small percentage out of millions that might convert into one-time sales.  Affiliate marketing is ripe with these people hoping to “get rich quick”, without regard to how it is done.  I some times wonder if these people would sacrifice their own souls in order to gain a quick buck.  It would certainly seem so as we have been inundated with junk mail and e-mail spam, viruses, worms, porn, and other tools intended to spread what they’re selling to mass audiences in as fast a manner as possible.

Technology has sought hard to stop such problems.  We have anti-virus solutions that stop the malware, but evidently it’s not good enough, because viruses and worms and malware still spread.  Google’s Gmail has excellent spam filtering software for e-mail, as do other services such as Yahoo Mail and Hotmail.  Yet, I still get spam e-mail.  There are even services which try to stop the amount of junk mail you receive, yet even that isn’t fool proof.  It seems no matter how much technology we throw at it, the spammers will always find a way to circumvent the process.

Government is doing all they can do as well.  Here in the United States, CAN SPAM act makes it easy for government to prosecute against spammers.  The act was meant to thwart the problem in the early 00’s where e-mail spam was running rampant.  The marketers all complained, claiming it would reduce the amount of money they could make, worries of economic crisis ensued.  But after the act went into place, marketers began to realize they were actually seeing more money than before because they were actually focusing on people that were interested in their product, rather than people that weren’t.  I admit a lot of my spam went down at that time.

Enter 2010.  Twitter is almost a standard.  Facebook is almost a standard.  We are seeing the era of micro-messaging take form, and it doesn’t seem this era is going away any time soon.  As with any new communications technology, so come the spammers that come along with it.  As I can attest from my own company, the spammers are now out of control on Facebook and Twitter and almost any other service that enables micro-messaging, and they’re fighting their best to stay on top of it all.  I admit they’re probably doing all they can, too.

On SocialToo in just the last month, we have already automatically marked near 3,500 DM messages as spam out of a total of 3,500 users that utilize the service. Since we implemented the service just a few months ago we’ve marked near 8,500 DM messages as spam. And that’s just DMs on Twitter! Considering there are in the 10s of millions on the service and DMs aren’t the only means of spam, you can see the problem Twitter and Facebook are facing.

It was this reason I added these spam filtering services on top of SocialToo.  I too want to do what I can to help kill these problems.  I’ve seen it all – even people abusing my own service to increase their numbers and in return spam those followers with things their followers never intended to receive.  It was this reason we complied with Twitter’s request to remove automatic unfollow of those who unfollow you recently, and frankly I agree with Twitter on the move – they’re doing the best they can to thwart spammers, and I want to support them in that process.  Look at this video I found on Youtube recently – in it, a man is demoing software that uses a combination of your desktop and outsourced workers in India (likely through services like Amazon’s Mechanical Turk) to quickly create accounts, send a few tweets each to increase, gain, and grow followers, and spam those followers with affiliate links. It’s appalling the way he says this is a “secret” only a “select few” marketers know about – the fact is I already knew about it – it’s no secret:


Source: ( and

This guy’s software is just one of many, and I argue it does this the hard way.  Now we have the ability for applications to sit on top of the browser and completely control  the context which a user views the web.  Applications like GreaseMonkey, extensions and plugins, and even Kynetx, while they can be used for good, could all be used in this way with just simple HTML and Javascript to create accounts and spam with them.  There’s not much Twitter or Facebook or even the makers of GreaseMonkey, Firefox, Chrome, IE, or Kynetx can do about them (although Kynetx at least has a controlled user directory through which they can at monitor these things).  There are already tools like Hummingbird out there that do this for relatively cheap, and there will be more.

It’s time Government step in and put an end to this.  CAN-SPAM was written for long-form communications, but it needs to be modified to allow for the short-form. It specifically mentions e-mail and cell phone communications, not micro-messaging services.  Recipients should still have the opportunity to opt-out of the messages they receive. Perhaps the enablers of such communication such as Facebook and Twitter need to provide a means for message senders to provide an opt-out location that attaches to their messages.  That’s just one idea – I’m sure there are many other ways of doing this.

CAN-SPAM needs a provision which specifically targets the micro-messaging space.  It needs communication which specifically says what marketers can do on these services, and how people can opt out.  As I know very well, this will not stop all messages, but it will cut off a large majority of messages, which I know are being used by legit Lawyers and Doctors and business owners everywhere in the US to cost Twitter thousands of dollars and waste the time of countless people.

We need to do all we can to stop this nonsense. I want to see these micro-messaging spammers prosecuted.  It won’t happen unless the US Government modifies CAN-SPAM.  How can we do this effectively in the micro-messaging space?

Facebook Photo Tagging Apps: Intelligent Design or Plain Old Spam?

Screen shot 2009-09-14 at 3.50.45 PMThe photo tagging apps in Facebook have taken over my stream!  Check out the screen shot to the right.  Out of the 12 highlights, only half are legitimate posts.  The other 6 are apps that have seemingly figured out how to abuse the system and take over my highlights section (either intended or not), giving the apps even more exposure on Facebook.  If you ask me, this method of app promotion, while legal and probably even a smart move by the app developers, needs to stop!

Fan Check, Friend Character, PickupFriends, TouchGraph, and others are nothing more than spam with their current techniques of app promotion. From my experience most people using them have not even opted to tag their friends in these photos, and I hope Facebook can put an end to this.  The developers behind these apps (probably many who have read my book) are smart people – can’t they find another way other than deceiving their users to promote their applications?  Or perhaps Facebook can give me a way to filter these so they don’t take up my Highlights any more and I don’t appear as tagged.

I’m hoping “Natural Selection” for these apps sides in my direction. Let’s hope these types of spammy apps go away or change their behavior.

Taking a Stand on Twitter’s Auto-DM Policy #endautodm

buck stops hereI’ve long mentioned my annoyance with automatic DMs after follow and elsewhere. It’s one of the reasons I built SocialToo, and we’re doing things there to combat the process. Unfortunately it’s not perfect. In fact, even with the anti-spam measures SocialToo has in place, it’s getting to the point that most of the DMs I receive are non-legitimate messages that many of the users probably have no idea were sent on their behalf. My other followers get hurt because of that because I can often miss their messages. Chris Brogan mentions, which I admit recently is a major perpetrator of my DMs. But there are others too: Tweetlater (which has the ability to opt out, and we’ll even do it for you on SocialToo), Twollow, Twollo, Mob Wars, SpyMaster, and many others. Too many to know which one needs to go to and opt out of, assuming they even have a solution (which most do not).

Twitter could fix this easily. Facebook already does this – they allow users to identify that they do not want to receive any more messages or invites from a specific app. Then, the minute they do that, the app can keep sending invites, but that user will never see them again. In addition, the app gets dinged a “spaminess score”, reducing the number of app invites it can send out per user. Users have full control, and they can still be friends with people that like to use these apps.

Twitter needs a similar system – it wouldn’t be very hard to require all apps to identify themselves via a developer Terms Of Service (I’ve talked about this before), either by OAuth or some other means, and then provide the tools necessary to allow users to opt out of receiving DMs and @mentions generated by these applications if the user does not want to receive them. Based on a current discussion in the developers mailing list for Twitter, I’m guessing developers wouldn’t be opposed, either. At the very least, open up the API to allow the identification of these applications while requiring them to identify themselves. Blacklist and ban the applications not willing to comply.


I’m getting sick of the auto-dms. Chris Brogan is sick. Sean Percival is sick. Robert Scoble is sick. Jeremiah Owyang is sick. The list goes on and on, and we’re not the only ones. Starting today I’m taking a stand. I want to show what my inbox looks like right now. For that reason, I’ve taken a screenshot of my Twitter DM box and posted it as my Twitter avatar. If you are against this practice, change your avatar to your own DM inbox, and retweet this to your followers (click on it, and it will auto-populate Twitter for you):

I’m changing my avatar to my Twitter DM inbox in protest of automated DMs on Twitter #endautodm

You can include a link to this article if you like, but that’s not required. I want to send a message to Twitter that this is a serious problem. It’s time to end automated direct messages once and for all. I’m done with them. Will you join me?

Here’s a FriendFeed Real-time search of #endautodm – will you contribute? Just end your tweets with #endautodm:

Twitter Suspending Accounts in Droves

twitter fail whaleTwitter seems to be on a roll lately. It would seem, either by bug, or some new policy just implemented, Twitter has just suspended hundreds to thousands of Twitter accounts with little to no reason. You can see all the action, semi-real-time here.

I just received a tip from a good friend, a very strong Twitter user and definitely not a spammer, who was one of those people suspended without cause. She stated she submitted a ticket to Twitter support and the ticket was immediately closed with no reason. Looking over Twitter search, she’s not the only one, and many very valid accounts are complaining of having their Twitter accounts suspended out of the blue. Reasons for suspension are often following people and unfollowing people frequently, following people too fast, blatent spammy behavior, among other things, but based on the users I know were suspended none of these activities were happening.

There is no word from Twitter on this matter – I’ll update the post when I hear more. You can watch the suspensions and the horror occur in real-time (thanks to FriendFeed, ironically) below:

UPDATE: Twitter has responded via their Status blog: “Earlier today, we accidentally suspended a number of accounts. We regret the human error that led to these mistaken suspensions and we are working to restore the affected accounts—we expect this to be completed in the next several hours.”

Other major accounts suspended: @marismith, @denisewakeman, @loubortone, @tweetlater, @deniseoberry, @radionational – if your account was affected please leave a comment!

Curing Spam on Twitter With Better Follow Limits

spamI posted this over on the Twitter developer mailing list to try and get a discussion going. I thought I’d post a copy here for my readers to discuss – maybe you have more ideas than I do. I want to make it clear that I do not condone what some users of SocialToo are doing to gain Twitter followers. Will I stop them? I can’t – as long as Twitter allows them to do it, I can’t make a decision one way or another on who is doing this and who is not. No matter what, I have to respect my users, and most (almost all) of them are using Twitter for legitimate reasons. I do think changing the limits to what I suggested in the e-mail (below) will fix the problem Twitter is trying to solve though:

Let’s discuss the follow limits. I feel, as developer of a tool that allows people to auto-follow, I have a bit of insight into this. While there are many, many legitimate users that auto-follow others, and have good reason to do so, some are using it as a way to game the system, build followers quickly, break the Twitter TOS, and reduce the meaning of follower numbers for many other users just using the service legitimately. I see this daily, amongst a few of my own users, and while, due to our privacy policy I can’t share who they are, I do have some suggestions that would make the API follow limits make a little more sense. Maybe you guys can provide more insight.

-Currently the follow per day limit is 1,000 follows per user per day. There is no limit on the number of unfollows a user can do per day (that I know of), and it appears as though there is also a limit of around 10% for the number of users a person can follow more than follow them back. The users taking advantage of Twitter have figured this out. So here’s what they do:

A “gamer”‘s typical activity is that they will follow as many people as they can – most up to the 1,000 limit they’re allowed per day, until they hit the ratio of 10%. The higher the follower base they gain, the longer they’re able to do this. They then hope a good portion of those 1,000 people follow back. Those that don’t use tools like mine (which weren’t intended to be used this way) to unfollow everyone who is not following them back. This is often much greater than 1,000 for the users that are really good at it. The process then starts over. They’ll use tools like Hummingbird (Google it) and Twollo to find people and automatically go out and follow them. This is why I refuse to create auto-follow filters to find new people on my service. It’s way too spammy if you ask me.

Why do they do this? 2 reasons: 1, “supposedly” having more followers means more visits and clicks in whatever you’re trying to promote. (I don’t believe this) and 2, many of these people also have auto-DM set up to send links and messages to each person that follows them back. Back when I offered this service (we disabled it for this exact reason) people told me they were seeing significant clicks on the links they would send to people via DM after they followed them. Therefore, more follows==more clicks==more revenue. I don’t blame them if that’s what they’re really seeing.

So for this reason I think having limits in place is a *good* thing. I don’t think the follow limit is in place due to traffic reasons, since there are many more calls that cause more traffic on the API and there is no limit to unfollows, so I really think Twitter is doing this for the purpose of reducing spam and “gaming” of Twitter. This is a good thing.

However, I think Twitter may be approaching the limits the wrong way. Here’s what I think would be more effective, and beneficial for the legitimate users that want to follow back and at the same time not allow those who want to game the system to use the methods I described. Twitter needs to impose limits based on whether the individual is following the user back or not.

For instance, if I follow @dacort and he is following me back, that shouldn’t count against me as a hit against my follow limit. However, if I try to follow @dacort and he is not following me back, it should count against me as a hit against my limit. With this, users could easily auto-follow back if they choose to, and it would still be difficult for the users trying to game the system and spam Twitter. In fact, you could significantly *reduce* the limit this way and make it virtually impossible for these users to use Twitter in that manner. If you were to look at the relationship between the users when counting against limits, you could probably reduce the follow/day limit all the way to around 200 per day instead of 1,000 per day. I don’t see any reason for the 10% follow/follower ratio with a low limit such as that.

However, as stands, the more followers you get, if you are using Twitter legitimately, you have no way to extend the courtesy back if you choose to do so, since after a certain point you will be following many more than 1,000 users per day. And even if you aren’t, it will take an extremely long time for many individuals to finally catch up to follow those following them if they want to at 1,000 follows per day.

I know there are some that disagree with the auto-follow concept. However, I also know most of you also want Twitter to be an open environment where people can choose to use it as they please. Doug, Alex, etc. I’d love it if you guys could at least consider changing the follow limits as I mentioned. The current limits are doing nothing to prevent the spammers – my suggestions I believe will, and will keep it an open environment for the rest of us.

Sorry for the long discourse – I would really love to hear others thoughts and suggestions.


Feel free to chime in on the developers mailing list, or let’s discuss here – what suggestions do you have? Are there any holes in my proposal?

Is Twitter Seeing a New Form of Spam Attack?

Please note this in no way is inferring @nycgrl88 is in any way behind these attacks – it is simply an attempt to figure out why these bots are targeting her.

irobotMy friend Scott Lemon, who runs pointed me to this.  It would appear that someone or something has hacked the Twitter sign up process and is creating hundreds of bot accounts, all with the same messages, including one linking @oprah, @mrskutcher, and someone named @nycgrl88 to #topfollowfriday as a recommendation.  You can see all the accounts via Twitter search result here.  They are all posting exactly the same Tweets, all prefixed by 1luv, and complain of things like not being able to upload a photo or background image, a problem Twitter was plagued with yesterday.

Since @oprah and @mrskutcher are obvious names, I naturally looked at the odd one out in the #topfollowfriday recommendation, @nycgrl88.  Her name is Jennifer Regan, and according to her bio, she goes to NYU and lives in New York.  Oddly enough, all of the @1luv spam accounts are owned by a girl named Jennifer (with bio pics that all kind of look similar, but brunette), who lives in New York and goes to NYU.

Could this be a new type of spam attack on Twitter?  I’m not saying @nycgrl88 is the one behind this, but it would not be very hard to game the sign up with a script, create hundreds to thousands of accounts, all that recommend @nycgrl88 to #followfriday, and benefit from top exposure on those sites to get more followers.  Are spammers really that desperate?

Again, let’s not put the blame on @nycgrl88 until we know what’s going on here, but something fishy is happening – I’m trying to figure out the purpose behind it all.  Am I missing anything here?

Making Auto-Follow a Little Easier by Removing the DMs - Your Companion to the Social WebAs of today on my service SocialToo, we’re taking a stand and removing the ability to auto-dm your followers. This service, as it grew, was getting out of hand, very impersonable, and people were just ignoring them. It was a tough decision due to the number of users using the service, but I think making this decision is the right thing to do. In the end this makes the other services we provide, such as auto-follow, more productive. I’m trying to think of other less-spammy and more personal alternatives down the road, however.

To replace auto-DMs, we’re now blocking DMs from any service we’re able to that do provide the auto-DM service. In addition, I’ll be working on some new features in the near future to auto-unfollow users we detect auto-DM-like behavior from for you. Let’s end this robot-like practice once and for all. I’m taking the reigns on this one.

Could Pandora be Leaking User E-mail Addresses to 3rd Parties?

UPDATE: See the comments below. Pandora’s CTO responded with the following explanation – while I haven’t shared much, I can see it being a spyware issue of someone I’ve shared having spyware on their computer – he has a good point.

“Hi there, I’m the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

We do however hear of cases like this a couple of times a year and I’ve worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you’ve ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it’s likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there’s spyware on your machine that’s another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you’re using is it’s possible that some spammer was just iterating on dictionary words against your mail system.

It’s a terrible situation that we live in an environment where it’s nearly impossible to keep our personal email addressses out of the hands of spammers.

Feel free to write any time, with any concern. Predictably I’m tom-at-pandora.

Picture 3.png

Picture 5.pngCould Pandora be giving out or selling their users’ e-mails? They say they don’t, but I got a disturbing e-mail yesterday that I’m still trying to figure out. When I sign up for services, I usually sign up with the e-mail address, so that I can detect where my spam is coming from. Yesterday, I received a weird piece of spam from “” in what I believe to be French. The subject states, “ des vidéos pour les Expatriés, DRH, Exportateurs… A découvrir”. What caught my attention though, is that it was sent to “”.

There’s only one site I ever gave that e-mail address to, and that’s Pandora. Could Pandora be selling e-mail addresses to spammers? Could there be a leak at Pandora, where my e-mail address somehow accidentally got out to spammers? Or is this just a fluke where some spammer decided to randomly send e-mail to where is all wildcard e-mail addresses they’re aware of? I can’t tell, but it’s troubling – I’ve never had a spammer actually use an e-mail address for a service I actually belong to. This makes me wonder if it actually is an issue at Pandora.

I mentioned this on FriendFeed, and a Pandora rep actually did respond (Does your company track FriendFeed?). Here was the thread:

Me: “wtf??? I’m getting Spam and it’s to my Pandora address. Did Pandora sell my e-mail address? NOT HAPPY”
Pandora Radio: “Hi Jesse – We *definitely* never sell or give away listeners’ email addresses. Feel free to email if you’d like. – Lucia, from Pandora”

I want to believe Pandora. They seem like a pretty ethical company, and have supported some good causes in the past. It makes me wonder however if somehow, some e-mail addresses got out of their system that they weren’t aware of. Perhaps my e-mail address is on a public profile somewhere on Pandora’s website? Has anyone else experienced this, and do you have any ideas how this could be happening? The text of the e-mail can be found here.