Spamming Twitter Users with 15 accounts


This article about automation on twitter , and abuse twitter features by spamming.

Hi Guys

I was reading some tweets and as usual i found some trends , that are about these twitter addicted users who are seeking for likes , retweets and follow for follow , this is the worst purpose to use social media , anyway i decided to spam users may i get their attention .

I started investigating twitter and i found the following interesting points:

1- Twitter allows multi-registration with single email address , let me clarify it :

if you have an email as [email protected]
you can generate some aliases of it with do inserted as the following
[email protected]
[email protected]
[email protected]
– and others

I used this script to generate more than 400 accounts from single gmail address

2- Guest session and tokens are reusable
i mean that when you GET
you will receive some cookies and authenticity_token
then registration form will be embeded on this main page , so when you supply the sign up details , a POST request contains the grabbed cookies and token beside your registration details

If you took this request and launched burp intruder , and set payload to load the email from a file containing the 400 generated email aliases, you would register 400 twitter accounts with single session , So this means tokens are reusable , this make our automation much easier we do not have to grab new tokens.

3- Login process requires only two requests

The first GET we already sent before
the second POST

and if your credits are valid you will get a session.

4- No Rate limits implemented on any function
I mean that when you are logged in you can like dozens of tweets , follow hundreds of people , mass retweets .. etc

5- Weak checking
Any other action like follow , retweet/like tweets, tweeting , DM is easy to trigger , as we said since tokens are reusable , and twitter protect against CSRF attacks by checking referer header Regardless CSRF token, so we can use the token we used on the login process in further actions.

After That

i started to register 400 accounts with burp intruder , of course i did it as much easy as i’m installing winamp by NEXT,NEXT,Finish
But registered accounts need mobile verification , i got enough with 15 verified account .

Then wrote a script to do the task for me 😀

You can use the following commands to start with it

git clone
cd Tspammer/

You need python and python requests on your machine

What this repo has ?
The registered 400 accounts with their passwords
15 valid verified accounts ready to spam
Requests details

What we can get?
1- We can spam any twitter user with mass likes , retweets and follows
2- you can trend something , but this much more than 15 accounts , of course you can post 10K of tweets with 15 accounts , but it will not considered as a real trend


Note: Some functions are not implemented on tspammer like DM , i did not enable it yet.

Partners : if you have some accounts already verified , you can send them us and we will push them to the script to enhance it .

If you see this article poor , i respect your opinion ,i was in a hurry , post any question and i will make all points clear.

Have Fun


  1. Great info in your website!
    have question
    if there is inactive user in Twitter (since 2013) , do i have a chance to have the his/her user?

    Thank you


Please enter your comment!
Please enter your name here