
PayPal and zero-dollar invoice spam - temp
http://www.troyhunt.com/2016/01/paypal-and-zero-dollar-invoice-spam.html
======
bcrescimanno
PayPal employee here (and I'm hiring Node.js developers :P ).

I actually got two of these messages while I was out for the holiday break. I
don't work on the team that handles invoicing; but, I (among others) made them
aware of this issue and they are definitely working on a fix.

The challenge, of course, is that there are plenty of legitimate reasons for
sending $0 invoices and we don't want to artificially make our product worse
for our many legitimate customers by going too far in trying to stop this
spam.

~~~
everfree
Genuine question: What are the legitimate uses of $0 invoices? The only thing
I can think of is a product that usually costs money (and thus has an invoice
workflow), but has been marked as free for some promotion.

~~~
outericky
In the case of periodic invoicing but you haven't crossed into the billable
threshold.

Let's say you get 2 hrs of support per month free, after that it costs $100.
If you don't use the full 2 hrs, you'd get a $0 invoice - but there may still
be detail and record of work performed (which you would want)

------
wheaties
On one hand I hate spammers and their ilk. On the other hand, I have to
congratulate them on finding a neat hack around spam filters which is
technically not breaking false claimant laws . The simple fix is to disable
$0.00 invoices as any actual invoice for services not rendered is fraud.

~~~
magicmu
It can, however, be useful to get invoices for purchases that were discounted
down to $0.00. At the startup I'm with we often give new customers a $0.00
trial rate, but they still want invoices so their billing department can keep
track. Of course, this billing system isn't using PayPal, but just a thought.

~~~
ikeboy
Not invoices per se, but if you buy something on eBay using only eBay gift
cards, it processes as a PayPal "transaction" of $0.00. I've got a bunch of
those in my email, always interesting to see "You sent a payment of $0.00 USD
to X".

------
downandout
All of these approaches are used to take advantage of the email deliverability
rates of large reputable companies that send lots of email. Paypal is a new
one, but Hotmail and Facebook have in the past been used for similar things.
With Hotmail, you could define a custom "I've changed my email address"
message, which would contain your spam message, and then it would send it to
up to 5,000 "contacts" for you with near-100% deliverability. Some people
automated this, and with that they were able send millions of messages per
day. I haven't looked recently, but Facebook's "invite friends" feature has
been used similarly in the past.

------
xentronium
> @AskPayPal: I recommend deleting that tweet, it has your personal info

> @troyhunt: It has my email address – I get email by sharing it with people
> who might want to send me email!

This is golden. Hilariously incompetent tech support trying to make someone
delete the tweet complaining about their spam.

~~~
mikeash
It's probably earnest. An amazingly large number of people think that making
your personal e-mail address public is somehow unwise.

~~~
brianwawok
I mean, it does slightly increase your rate of spam. I have a private email
that I only give out to RL people that has never received a spam message.

~~~
siphor
Wow I love this idea! Can't believe I haven't thought of it

~~~
sean-duffy
Having a 'spam email' that you use to sign up for stuff and a separate one for
non-automated communication only is definitely a good idea.

------
tehwebguy
Has PayPal just not tried to fix anything or add features other than a CSS
refresh in, like, ever?

~~~
roymurdock
They acquired Venmo, which was pretty big for adding users to their ecosystem.
They've kept it pretty quiet and have not tried to link the brands together,
which probably says something about the current state of Paypal's brand.

~~~
ericcholis
Braintree as well, which has a site and api that work very well. PayPal's on
the other hand...

------
tyingq
Not mentioned in the article, but paypal allows you to send a single invoice
to up to 100 different email addresses with a single click.

It also allows a 1-click way to email anyone that "hasn't paid" with an
update.

~~~
bhartzer
I haven't checked, but are you able to send invoices via API?

~~~
tyingq
[https://developer.paypal.com/docs/classic/invoicing/IntroInv...](https://developer.paypal.com/docs/classic/invoicing/IntroInvoiceAPI/)

------
bluedino
I wonder what the reasoning is that PayPal allows you to 'send' someone $0.00?

I'm not really surprised at how terrible the support via Twitter is. I almost
never use chat/email support these days with any large company-because of how
useless it has become.

~~~
overcast
I've received invoices for $0.00 when receiving promotional items for projects
I was a part of. Comes right in the shipping box, and I'm assuming it's an
accounting requirement.

~~~
bliti
Yes, it is. Their inventory changed but they did not gain any revenue from it.

------
orf
Why would you put a clickable link to the spam website on your blog though?

~~~
miander
If you're so interested in typing in spam links you might as well search up
something like "cheap electronics online" in Google and start clicking around
page 10.

~~~
miander
Sorry about being a bit rude in this comment. I didn't mean to sound so
sarcastic and I didn't mean to refer to you specifically.

------
shabbaa
For a PayPal employee to post here and say he made a team aware and they are
working on this it's utterly laughable.

There was a post here on hn over two years ago for the same issue which was
top post and generated a lot of news.

[https://news.ycombinator.com/item?id=6526481](https://news.ycombinator.com/item?id=6526481)

It is obviously very well known to them for years but they continue to do it

~~~
rtpg
Obviously well known?

Guy at PayPal sees post, tells a technical person about it, said person
forgets about it. Suddenly PayPal doesn't know about it anymore.

Or a person wants to work on fixing this but a manager says no, because there
are other priorities.

Or a person starts working on this, quits, and it gets lost among the things
they were working on.

It's so easy for things to get lost in a company, even with all the bug
trackers in the world.

~~~
r00fus
Isn't this what support case systems and bug tracking software was meant to do
- to track non-closed issues?

~~~
rtpg
yeah, I agree, but I think a lot of us work in similar situations, where bug
tracking exists, but there's such inundation of bugs that we can lose track of
some.

I guess I have sympathy for the PayPal team in this case. They're working on
an extremely large product, with a huge user-base. I would imagine it would be
very easy for bugs like this to fall through the cracks even with a "process"
in place

------
equine
You can send invoices to people to get paypal to show their name to you and
connect names to emails

~~~
dogma1138
I can also do that with DirectDebit (ACH for you yanks) transactions in the UK
for example; brute force branch sort code and account numbers and when you
"transfer money" (you can do 1p, or even cancel the transaction once the TUN
code has been generated iirc) you get the name associated with the account.

There isn't much you can do about it, detecting an abuse of an invoicing
system and locally blocking it is much preferable to the other potential
outcome of not knowing or being able to confirm where the hell did that
invoice actually went.

------
dudus
I've been getting the same emails for a while now. I sent to paypal through
email and got no response. I also added on a topic I thought was relevant on
their forum, and a guy there said he reported it and got a less automatic
response than I did.

[https://www.paypal-community.com/t5/Access-and-
security/Gett...](https://www.paypal-community.com/t5/Access-and-
security/Getting-Spam-Invoices/td-p/352294)

I haven't got more messages lately, so I'm guessing they managed it already.

------
richdougherty
I saw the same sort of thing a few years ago with Google Calendar invite spam.
If I remember correctly, I'd even get a meeting reminder with the spam
message.

------
patates
If we were ever to reach singularity, it would be partly thanks to the
motivation created by the spammers.

------
yeukhon
I read the title and thought of spamming zero dollar gift on Minecraft!

------
kenzokai
Horrible PayPal customer service. This person should not be allowed on their
Twitter account.

------
p0la
This is brilliant :)

