Thursday, January 3, 2013

Facebook: sending messages to strangers (non friends) for free or/and spoofing sender

Facebook tests paid messages to strangers. How much would you pay to contact a stranger? Well, actually you can do it for free. In case if you don't know, when you have facebook account you already have email address in facebook domain. You can just simply send email to particular address, and message will appear in facebook inbox. However, depends on settings in "Who can contact me" receiver will be notified or not and message will be put in "Inbox" or "Other" mailbox. By default it is set to "Basic Filtering", which means that you will be notified ("paid option" just ignore those settings so receiver will be always notified and you have guarantee that your message will be put in "Inbox").

This is already well-known issue as a facebook message spoofing. Why? Because we can spoof mail header in a oldschool way :) For example this simple php script will do the job:
$to = 'facebookID@facebook.com';
$senderAddress = 'email@address.tld';
$subject = 'Some subject';
$message = 'Some message';

$header = "From: $senderAddress\nReply-To: $senderAddress";
$mail = mail($to, $subject, $message, $header);
This short video demonstrating above script in action:

PS. And yes, facebook is filtering and rejecting mails from facebook.com domain. If it didn't it would be devastating.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete