Conferences
St.Petersburg, Russia
29
March
Las Vegas, USA
07
April
Las Vegas, USA
08-10
April
08-11
April
Moscow, Russia
10
April
Marbella, Spain
10-11
April
Moscow, Russia
11-12
April
Moscow, Russia
11
April
Warsaw, Poland
16
April
Warsaw, Poland
16-17
April
Miami, USA
16-18
April
São Paulo, Brazil
23-26
April
São Paulo, Brazil
23-25
April
São Paulo, Brazil
07-09
May
21-23
May
São Paulo, Brazil
23-25
May
26-27
May
Yerevan, Armenia
30-31
May
Limassol, Cyprus
30-31
May
Pasay, Philippines
03-05
June
Bucharest, Romania
12-15
September
Ibiza, Spain
21-23
September
Budapest, Hungary
30
September
Marsa, Malta
11-14
November
Dubai, UAE
23-25
February

Report by Kirill Nortoxat MAC 2021 Conference: “Why Not Use Facebook Automation?”


Kirill Nortox, co-founder and developer of the FBTool Pro service, talked about the Facebook API at the MAC 2021 conference. He also explained why there’s no point in being alarmed by Facebook automation.

API Access Paths

  1. The basic API access path is described in the documentation. You’ll require a token.
  2. Cookies are required too, but there’s a way to replace a token. This method unveils certain opportunities (e.g., you can bind a bank card).
  3. Web API user interface. These are queries that Facebook conceals from developers. No outsider will ever know behind the scenes. The request is sent to the platform and things happen out of sight.

Token

To make automation work, you have to use methods where tokens are required. What’s a token?

A token is a passkey that contains information about the account where requests come from, the application issued the token, and actions the token can perform.

The first 10-15 characters vary depending on the app that issued the token.

How to Obtain a Token?

There are two ways to obtain a token:

  • Create a DIY Facebook app. This method is mainly used by services for advertisers of white offers outside CIS market.
  • Use a Facebook app’s token. You can copy it from the source code of the Ads Manager.

DIY app

Pros:

  • Safe.
  • Official.

In this case, it doesn’t matter which IP and UserAgent send requests to the API. That’s the official working practice with Facebook.

Cons:

  • Moderation.
  • Limitations. For example, if you have a lot of ads running on your account, which receive a lot of user comments, you won’t be able to monitor comments often.
  • Limited feature set. You won’t be able to bind cards or create a Fan Page.
  • Risk of ban and app disabling. If 10-15 accounts are banned for violating the rules of the social network, the app will be banned as well.

This method is not suitable for automation. Therefore, FBTool works with tokens from the Ads Manager.

Ads Manager token

Pros:

  • The accounts cannot be linked since the token is issued by the official Facebook app.
  • Limitless possibilities.

Cons:

  • IP issues on accounts with low trust.
  • It’s difficult to automate the process of obtaining official tokens on a large scale in terms of quality since it requires logging in from a trusted IP address or using Cookies via a quality anti-detect browser so that Facebook does not interlink accounts.

Browser API

Why the token in the source code? Because it allows Facebook to offload its servers.

Let’s consider the case when the advertiser has many ad campaigns. So he/she doesn’t wait for the whole page to load, the page elements are loaded gradually. First, a table with ad campaigns in the cabinet is loaded, followed by statuses and statistics.

Gradual page loading occurs because Facebook sends a script to the advertiser’s browser that loads the page user-side and fills it with the user’s content.

Hence this method is not any kind of sure way to get caught since it’s designed to send requests to this API. This is natural when you’re working with an Ads Manager.

Automation Principle

According to the above principle, log in with your username and password or with Cookies. Facebook will generate a token with the required information. It has pre-approved the account. This allows the browser to access the API. To make automation work, copy the token and paste it.

What does Facebook monitor through the API?

  • A token it has generated.
  • UserAgent (browser type and version).
  • The IP address managed via proxy.

Facebook can’t obtain information about the hardware. To obtain the hardware information, Facebook has to share a JavaScript script code that will be executed by the user’s browser, which then will send the information to Facebook. Since developers can see the response source code, they can see that no scripts were sent.

If you work with a token, there will be no extra sessions.

Some Reasons for Bans

According to Kirill, Facebook will never ban an account for one reason but a combination of factors. In his report, he shared some reasons for bans.

  • Attempted account hacking.

There was a case with an account that had been processed for a year. It was added without the proxy. It had the IP address of the service, which did not coincide with the IP address of the user’s hardware.

The day the account was hacked, it was reset to enter a new password. It turns out that Facebook didn’t care about it for a year, but as soon as the user reset the account’s password, the account’s trust dropped.

  • Wired Internet distribution via the smartphone. There was a publisher whose accounts were banned all the time. It turned out that he was distributing a wired Internet connection from his smartphone to the PC. He was changing the IP address in flight mode. The day he created a WLAN access point in the smartphone, the problem was gone.
  • Suspicious Instagram activity. Kirill had a personal account in the service for two years. He added it several times using different proxies and UserAgent,no problem. The day he logged into his Instagram account via his new smartphone linked to his Facebook account, Facebook noticed a suspicious login.
  • Purchased token. Purchased tokens are reviewed quite often. However, if you obtain the token yourself, there will be no such problem.
  • IP/subnet giveaway (including mobile network).

API Proxies

You might want to use proxies from which you took the token,  including mobile proxies.

It is widely stated that when it comes to mobile proxies with an IP address unchanged, Facebook will link all accounts and block them all. But Facebook cannot link accounts’ IP addresses by API.

The FBtool team conducted various tests such as adding several mobile proxies to the service. They had an assumption that mobile proxies would affect the accounts’ trust in a good way.

As a result, amid ISP’s issues with IP address changing, some of the accounts were turned down.

It turns out that if you change the IP address before making a request to each account instead of working from a single IP address, each IP address change may be the last.

If you don’t have an opportunity to work from the IP address from which you took the token, Kirill advises you to opt for proxies that provide a stable connection likebackendIPv4, for example.

How to Use Mobile Proxies?

  • It pays if the token was taken from the same proxy.
  • Don’t ever enable IP auto-change. That’s evil.

There’s a misconception that when you automatically change your IP address, you imitate a real user’s behavior who travels around the city. Only when people travel around, their IP address changes from one cell tower to another, but not within a single cell tower.

There are still few advertisers of white offers who run ads on Facebook via the mobile web.

  • The fewer IP address changes, the better.
  • The number of accounts per proxy is limited by the proxy’s capacity.

Mobile Proxy Analysis

The FBtool team analyzed a mobile proxy in Moscow. They changed their IP address every two minutes for a month and documented the IP address after each change.

What did analysis findings tell them? Mobile proxies are not a panacea. A single cell tower provides a limited set of IP addresses. Facebook knows that these IP addresses are coming from a single cell tower. So it can link accounts with no problem. Especially when there are 10-20 accounts within a single cell tower that start running ads in one day from a new location.

CPARIP


Like it? Share with your friends!
0 Comments
Affiliate - Our assessment
Verticals
Min. sum
Site
An affiliate program from the direct advertiser Mostbet.com. They accept gambling and betting traffic worldwide. CPA on popular GEO is $20-50, Revshare - from 30% to 70%. They share apps and deeplinks upon request. They also offer a large selection of proxies.
$50 pay
фото
фото
фото
фото
фото
A CPA network that has been on the market since 2013. They have over 1500 offers and offer dynamic bids. Key GEOs: CIS, Europe, and LatAm, Africa. They also have a loyalty program with bonuses for leads.
$50 pay
фото
фото
фото
фото
фото
Affiliate network in the iGaming vertical. They work only with direct advertisers, and the lion's share of offers are presented exclusively. Huffson has individual conditions, own platform, detailed statistics, PWA applications, and custom promo.
$100 pay
фото
фото
фото
фото
фото
фото
фото
фото
фото
V.Partners review
It’s a direct advertiser of the popular European casino “Vulkan Vegas” established back in 2016. They operate in the gambling vertical within CPA, RevShare, and Hybrid partnership models.
€100 pay
фото
фото
фото
фото
фото
фото
It's a direct advertiser of the “GG.bet” brand. It's a multi-affiliate program, where they combine casino, betting, and cybersports which allows you to make money in different areas simultaneously. Established in 2016. They operate within CPA, RS, and Hybrid partnership models. RevShare is up to 60%.
$20 pay
фото
фото
фото
фото
фото
фото