Facebook Email Spam is on the way

FB email

Facebook is shutting down its email service.

Following on nicely from Google+ opening the door and allowing anyone to get message to your inbox without your email address, now Facebook are doing it…

The email service will be closed and will default to forward to your primary email address.

This means that anyone who knows your Facebook username at the end of your profile’s url, which is everyone, can simply whack that in front of @facebook.com and spam the shizzle out out of you.

I for one will be updating our list checker to lookout for facwbook.com addresses.

What to do?

Go into your Facebook settings and turn off auto-forwarding, once this has happened to you.

If you already had that set, go and check it, because as you probably know by now, every time Facebook updates their privacy settings, everything you’ve changed before gets reset  back to default.
My Facebook has not updated yet but says:

“Your Facebook email is based on your public username. Email sent to this address goes to Facebook Messages. However, soon this will change, and email sent to this address will be forwarded to your primary email. Learn more.”

when I click learn more it says:

What’s changing with @facebook.com email addresses?

Currently, messages sent to your @facebook.com email address are delivered to your Facebook Messages.

However, we’re updating the way @facebook.com email addresses work, so that soon any email messages that are sent to your @facebook.com email address will no longer go to your Facebook Messages. Instead, these emails will be forwarded to the primary email on your Facebook account. Learn how to add or update your primary email.

As a part of this change, any current Facebook conversations that include an email address will become read-only. This means that you’ll still be able to view the conversation, but you’ll no longer be able to reply to it from your Facebook Messages. To continue the conversation, you can always message people through their Facebook accounts.

I’ve no idea how we are to know when this has been rolled out to everyone, my original source at The Verge seemed to have already had the notification of the change. So hopefully each of us will get an email to our primary account, in the inbox, to tell us about it, before they fill up with spam from this forwarding service.

Originally this service was supposed to make Facebook the hub of the digital communication. The idea was that Facebook messaging would know each user’s messaging preferences and send them any messages to their preferred method; for instance, if someone is always using SMS and someone emails their @facebook address, they would get a text and not an email like their friend who started the conversation. This way people would be able to communicate through Facebook without having to change their behaviour. I’m guessing, hardly anyone used email and they all used SMS or Messenger.

That’s not rocket science to me, if I want to message someone, I’ll use a message app, not shout from a building and hope the wind carries it right.

It could be SMS, email or FB, although I know I’ll get a quicker response via SMS, then FB then email.

Now Facebook’s paid $16 billion bucks for WhatsApp we can presume that SMS and Messenger over smartphones is the way forward.

Very few people actually use email for social communication any more, it’s either SMS or some kind of other messenger service that uses data instead of texts.

In fact Apple have combined to two and decide for you – which his a bit rubbish when you move your number from Apple to Android and she can’t text you cos her iPhone keeps imessaging your iPad.

While I could speculate that WhatsApp is some kind of step forward, it is a very basic tool and there are thousands of them out there but this one did better at the right time and dominates the market and now it’s Facebook’s. Presumably they will soon match the WhatsApp phone numbers with Facebook accounts and have more integration between the two; maybe even copy WhatsApp chats into Facebook messaging for an extra interface, time will tell.

Just in case it looks like I’m not a Facebook hater, I’m not!
I’m an avid user but the constant struggle to stay vigilant against its consistent attempts to share my info with strangers to make money is a little tedious, but not enough for me to leave, which presumably is the idea.

A robot has won my iPad competition

megatron

(updated: 2019-04-24 with new domains)

If you run a competition and ask people to enter it by providing you with an email address, as well as other details, you run the risk of a having that form filled out by an Automated Competition Bot.

Basically there are services which trawl the web looking for competition entry forms so they can fill them out. Some of them are just trying to ruin a competition, some of them are one person trying to win as much free stuff as they can and some of them are offering a service where someone else can put their details into a tool and that tool will enter them into as many competitions as it can.

Either way, this means that some of the entrants to your competition have not seen your site or your brand and just want something for nothing.
Presumably this defeats the object of your competition which, in this and many cases, is to provide brand awareness, build a list of at least intrigued people and offer at least one of them a prize in reward.

You will always get some people who just want the prize, especially if it is a good prize; but if you offer too good a prize the bots will find you. If for instance you create a lovely landing page for your prize draw for a free iPad, the bots will find you!

If you’ve been got, you might see that you have a lot more entrants than you expected and when you see the list you might find a high volumes of a few domains which you don’t recognise as a commonly used consumer domain like the hotmails and gmails most of you would expect to see.

This is the list from back in 2013 of the ones I’d seen or had found during our research:


2rainmail.org.uk, barchor.org.uk, bestmailforyou.co.uk, cannotmail.org.uk, course-manager.co.uk, crymet.org.uk, darklin.info, drecom01.co.uk, easybusinessemail.info, freemailstore.com, freggnet.co.uk, hoodmail.co.uk, indigoable.net, kreahnet.org.uk, laurelbaker.net, lonynet.oeg.uk, mailbreaker.co.uk, meandmine.info, mobiledatamail.com, moussenetmail.co.uk, movenextweb.com, mywheelbox.org.uk, navyngrey.com, pluntermail.org.uk, prainnet.org.uk, purpleweb.info, rackernet.org.uk, railosnet.co.uk, rottmail.co.uk, runracemail.org.uk, runwaynet.org.uk, satinmaker.info, sherrymail.co.uk, shortsmail.co.uk, stickique.com, stonetimenet.co.uk, tangerineinternet.com, telph1line.org.uk, threemailnet.co.uk, tigerweb.org.uk, tyermail.org.uk, wonandron.co.uk, wormail.co.uk, yourmail4you.com

UPDATE:

An even more dedicated chap called Rob Record (cool name) ran into this more recently (early 2019), found my list and has made an updated version. Some of his observations are that the domain names are very similar but with slight changes. This suggests that the hosts realised they’d been twigged and blocked so altered them to sneak through.

Here’s Rob’s updated list which he kindly shared with me for you…

2rainmail.org.uk, barchor.org.uk, bestmailforyou.co.uk, cannotmail.org.uk, course-manager.co.uk, crymet.org.uk, darklin.info, drecom01.co.uk, easybusinessemail.info, freemailstore.com, freggnet.co.uk, hoodmail.co.uk, indigoable.net, kreahnet.org.uk, laurelbaker.net, lonynet.org.uk, mailbreaker.co.uk, meandmine.info, mijnpostcode.nl, mobiledatamail.com, moussenetmail.co.uk, movenextweb.com, mywheelbox.org.uk, mywheelboxmail.org.uk, navyngrey.com, pluntermail.org.uk, prainet.org.uk, prainnet.org.uk, purpleweb.info, rackernet.org.uk, railosnet.co.uk, rottmail.co.uk, rottmail.org.uk, runracemail.org.uk, runwaynet.org.uk, satinmaker.info, sherrymail.co.uk, shortsmail.co.uk, stickique.com, stonetimenet.co.uk, tangerineinternet.com, telph1line.org.uk, threemailnet.co.uk, tigerweb.org.uk, tyermail.org.uk, wonandron.co.uk, wormail.co.uk, yourmail4you.com

Rob said:

lonynet.oeg.uk became lonynet.org.uk
mywheelbox.org.uk became mywheelboxmail.org.uk
prainet.org.uk became prainnet.org.uk
rottmail.co.uk became rottmail.org.uk
mywheelbox.org.uk became mywheelboxmail.org.uk
mijnpostcode.nl was added

I haven’t replaced anything except for lonynet.oeg.uk

These were all based on spam submissions I saw coming in to a competition form I had a lot of traffic on. Hope it helps!

What a legend!

I suggest you add them all to a suppression.

If you do not want them entering, you will have to put some extra security into your competition form.

Common solutions include:

  • Invisible ReCaptcha: Google’s new angle on captcha, where it can tell a robot without a person having to tick a box, then it’ll kick in a captcha test on it’s own.
  • Captcha methods: A form widget which offers a picture of numbers and letters for the user to enter as they submit the form.
  • Hidden field entry: Have a hidden field which a human user cannot enter details for but the bot might as it blindly provides values for every field in pages HTML. You can then simply reject all entrants with a value in that hidden field.
  • Domain rejection: Hold a list of known bot domains and reject any entrants using email addresses in those domains.
  • Double Opt-in: Send an email directly back to the entrant containing a link for them to click in order to complete their entry; this confirms their interest and the fact they own the address.
  • Server side processing: (this is a bit techy) often the easiest way to perform this kind of validation client side using javascript. It is very easy for bots to bypass client-side javascript, so it helps if the validation can be done server-side.

Google and much of my research suggests that Loquax has a great resource for more information, whether that was deliberate or not?