I always thought the Facebook Application for BlackBerry was a buggy, slow piece of junk. Now I have noticed that this application is being abused by spammers to propagate Viagra and Percocet SPAM. The screen shot to the right is an actual Facebook notification I received on my BlackBerry.
There seems to be an interesting bug in the Facebook Application for BlackBerry in which a spammer can spoof the “facebookmail.com” domain to have SPAM messages show up in your notifications list within the BlackBerry Facebook application. This only works if you have the Facebook for BlackBerry Application installed AND you have an email account configured on your BlackBerry (yes, this includes a corporate email account as well). The email account you have configured on your BlackBerry is where you actually receive the SPAM message, not through Facebook.
The Facebook Application for BlackBerry appears to notify on any new email in one of your BlackBerry mailbox’s with “*.facebookmail.com” in the sender or return-path field. This is a win for the spammer because now you think Facebook is spamming you and with the addition of an email, you’re more tempted to click on the link. The Facebook Application for BlackBerry is no stranger to controversy and this particular bug has been noticed recently by others as well. It also appears that this bug only affects the BlackBerry Facebook application. When testing the iPhone app I couldn’t replicate the issue.
To test this bug I used EXIM4 in Ubuntu as a mail relay with mailtools to send the email. This allowed me to send a spoofed email as “email@example.com” to one of the email accounts I have configured on my BlackBerry. Here are screen shots of the spoofed email in my inbox and what it looks like in the Facebook Application for BlackBerry:
My opinion is that a mobile Facebook application should never be polling your personal email for these messages…but then again this could be a “feature” of this nicely designed application, right? 🙂 Special thanks to Kevin Johnson for helping with some of the research/testing.