Facebook: Reminding Several Thousand Spamtraps to Join

Yesterday and today Facebook emailed several thousand of my spamtraps, reminding them that “just one step” was needed to join the social networking site. The problem is, none of these spamtraps ever *asked* to join Facebook. None of them send email. Some of them never existed at all, and of those that were once live email addresses, several were closed in the late 1990s — before Facebook existed. Facebook sent these emails from their own IPs; no ESP was involved.

Spamcop is already listing most of the emitting IPs for these spams. I have no idea whether Facebook is the target of a massive forge subscriptions attack or somebody thought that it would be a good idea to spam a purchased or email appended list over Christmas week. This is ridiculous, however. Facebook needs to fix whatever allowed it to happen, soonest.

Sending IPs: 66.220.144.128/26, 66.220.155.128/26, 66.220.157.64/27

Spam Sample:

Actual Headers:

Received: from mx-out.facebook.com (outmail038.prn2.facebook.com
        [66.220.144.1##])
        by <xxx> (Postfix) with ESMTPS id <xxx>
        for <xxx>; Thu, 25 Dec 2014 00:##:## +0200
        (EET)
DKIM-Signature: <xxx>
Received: from facebook.com (<xxx> 10.102.##.##)
        by facebook.com with Thrift id <xxx>;
        Wed, 24 Dec 2014 14:##:## -0800
X-Facebook: from ##:##:##:##:face:##:##:## ([<xxx>])
        by www.facebook.com with HTTP (ZuckMail);
Date: Wed, 24 Dec 2014 14:##:## -0800
To: <xxx>
From: Facebook <notification+<xxx>@facebookmail.com>     
Reply-to: noreply <noreply@facebookmail.com>
Subject: Just one more step to get started on Facebook               
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
Errors-To: notification+<xxx>@facebookmail.com
X-Facebook-Notify: email_confirm; mailid=<xxx>
List-Unsubscribe: <https://www.facebook.com/o.php?k=<xxx>&u=<xxx>&mid=<xxx>>
X-FACEBOOK-PRIORITY: 1
X-Auto-Response-Suppress: All
Message-ID: <<xxx>@www.facebook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="b1_<xxx>"

Readable Email:

From: Facebook <notification+<xxx>@facebookmail.com>
To: <spamtrap>
Subject: Just one more step to get started on Facebook

Hi <xxx>,

You’re almost done with the sign-up process

Confirm Your Account
https://www.facebook.com/n/?<xxx>

<removed>

This message was sent to <xxx>. If you don’t want to receive these emails from Facebook in the future, please follow the link below to unsubscribe.

https://www.facebook.com/o.php?<xxx>

Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

6 Responses to Facebook: Reminding Several Thousand Spamtraps to Join

  1. I saw this too. What I really, really can’t figure out is all those accounts that couldn’t have asked to join FB because they had already stopped existing by the time FB came around…

  2. Year’s end report on Facebook spam to my spamtraps in the month of December:

    2014-12-01: 300-400
    2014-12-02: 300-400
    2014-12-03: 200-300
    2014-12-04: 100-200
    2014-12-05: 400-500
    2014-12-06: 300-400
    2014-12-07: 200-300
    2014-12-08: 200-300
    2014-12-09: 300-400
    2014-12-10: 300-400
    2014-12-11: 300-400
    2014-12-12: 300-400
    2014-12-13: 200-300
    2014-12-14: 200-300
    2014-12-15: 200-300
    2014-12-16: 300-400
    2014-12-17: 300-400
    2014-12-18: 500-600
    2014-12-19: 400-500
    2014-12-20: 500-600
    2014-12-21: 600-700
    2014-12-22: 900-1000
    2014-12-23: 4000-4500
    2014-12-24: 4000-4500
    2014-12-25: 3500-4000
    2014-12-26: 7000-7500
    2014-12-27: 6000-6500
    2014-12-28: 7000-7500
    2014-12-29: 7000-7500
    2014-12-30: 6500-7000
    2014-12-31: 7000-7500

    That’s right. From the beginning to the end of the month, a 20-fold plus increase in volume. I did not bring any significant number of new spamtrap email addresses online in December. These hits were almost all on spamtraps that I have had for at least several years.

    I’ll probably tweet a WTF to @Facebook, but I already have once. So far nobody at Facebook has responded or seems in the least interested. :/

  3. It got really bad at Christmas, but the bad news is it’s only been getting worse. What in Pete’s name is going on?

  4. And… Going up UP UP UP UP. First week of January, plus a few.

    2015-01-01: 9000-10000
    2015-01-02: 10000-15000
    2015-01-03: 9000-10000
    2015-01-04: 9000-10000
    2015-01-05: 15000-20000
    2015-01-06: 10000-15000
    2015-01-07: 15000-20000
    2015-01-08: 15000-20000
    2015-01-09: 8000-9000 (so far today)

    Facebook has been contacted about this. Either everybody that I know has old non-functional contacts, or Facebook is ignoring us.

  5. It could be also a spammer trying to wash his list: try to register on Facebook (hey, everyone’s on facebook, right?) and if it fails because the email address is already registered then it most probably is a functioning one.

    • I’ve wondered if some list seller might be washing a list through Facebook. :/ Facebook is contributing to the problem, however, because its policy is to keep sending “reminders” to email addresses that were “invited” to join by somebody else, not their owners. Since the “invitations” are generated by a third party who is known to be a third party (not a malicious subscriber), those reminders are the essence of opt-out bulk marketing email, i.e. spam.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top