Twitter Blacklisted by Spamhaus

SBL84807 tells the story: Spamhaus has observed Twitter invitations more-or-less being used by spammers. According to Spamhaus, Twitter does not appear to have controls in place that prevent spammers from issuing invitations to imported lists of email addresses, and also, Twitter invitations have a broken unsubscribe link.

Let's hope Twitter works quickly to address this issue to Spamhaus's satisfaction.

I personally am not a big fan of "import your address book and we'll send everybody you've ever talked to an invitation to our fabulous new social network," as address books are invariably filled with crap. Even if the intent isn't nefarious, if I did this, I'd end up sending invites to the Apple store, all the mailing lists I'm on, the various abuse desks I talk to, including Twitter's own Del Harvey.

Also, people seem way to willing to hand their email passwords over to third parties. I'm sure Twitter isn't planning on stealing your address book, but what of the next site? And the site after that? Eventually a bad guy will figure out that this is a great way to harvest your contacts.


  1. While I also don't like the whole "import your address book" idea, and agree that it's annoying to run a mailserver being deluged by nonsense spam such as twitter invites - is there an advantage to the "spammer" or is it being caused solely by obliviots who just don't know what the hell they are doing?

    I suppose someone running a twitter account to advertise their porn site or viagra pills could use the service to invite people to follow them and in return see their message - but that seems like a very round-about way to get a few hits...

  2. I'm not sure, to be honest. I don't have a good feel for the actual value here to spammers. It might just be obliviots. I can imagine that rising to the level of nuclear event if goobers keep importing address books with the same Spamhaus addresses over and over. There probably needs to be rate limiting to prevent multiple repeat invites, yes?

  3. Old news though, no?

    14-Jan-2010 22:52 GMT

  4. What are some of the scenarios that would cause an individual to get spam trap addresses added to their address/contact book?

  5. If a spamtrap is useful, bad guys already have it (otherwise it isn't getting any spam) and can either a) send you spam that includes it in the TO: line, or b) send you spam that claims to be from it - and after either of those events, your mail client can 'helpfully' add it to your addressbook as someone who has sent you mail.

  6. I personally am not a big fan of "import your address book and we'll send everybody you've ever talked to an invitation to our fabulous new social network,"

    I personally am not at all a fan of any sentence that starts "Just give us your password to $other_service". How is this not a major security violation the sort of which is expressly prohibited by most AUPs?

  7. Most of the people that sign up to use our service for social media sites eventually become a problem just because of this. It generates too many complaints.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.