Re: But Facebook are not spammers [was: And Facebook sells user data, too ...]

[Rich Kulawiec <rsk () gsp org>]

On Sat, May 22, 2010 at 02:27:57AM +0300, Gadi Evron wrote:
> Facebook does not spam.

You're wrong.  I have spam-in-hand.  Case closed. [1]

Now...why they do it, how they do it, whether there is an opt-out
mechanism, why they forge mail from other domains without permission,
etc., are all interesting questions, but the answers to those questions
have absolutely no bearing on whether it's spam or not.  We could
also discuss what measure of culpability the marks handing over access
to their address books bear for this, and certainly that's non-zero --
but since the spam comes from Facebook's deployed mechanism via
Facebook's domains on Facebook's servers on Facebook's network,
it's clearly Facebook's spam. [2]

As to the proper definition of spam (unsolicited bulk email): it's served
us very well for a long time.  It's proved itself to be a more-than-worthy
replacement for earlier extant terminology such as "mass mail abuse".
During that time, I've seen many assertions that it needs modification.
Those assertions, without exception, comes from two types of sources:

        1. Spammers and their associates/enablers
        2. Well-meaning but insufficiently-experienced people

In the case of (1), this is so common that we have developed
a phrase to encapsulate it: "Spam is that which we do not do".
Vernon Schryver has accumulated a sizable list of these attempted
redefinitions (with contributions from a number of folks, including
me) and posted them here:

        http://www.rhyolite.com/anti-spam/that-which-we-dont.html

I trust it's obvious why those engaged in spam or in supporting it
would very much like to redefine spam as that which they do not do.
Such attempts are of course uniformly rejected, as they must be.

In case of (2), I find that these come from people who haven't worked
in the field long enough to develop a full understanding of just what
UBE means -- and just as importantly, what it doesn't mean.  For instance,
UBE does not imply "has a non-zero-length message body"; as we all know,
null spam is still spam.  Nor does it imply forgery.  Nor does it matter
whether there is an opt-out mechanism or not.  Nor does it matter
whether it is "certified".  (This one is especially laughable given that
certifiers are often paid by spammers to assert that their spam isn't spam.)
Nor does it {insert much MUCH longer discussion here, much of which has
taken place on spam-l and other similar places over the past few decades}.

Is it possible that one day a better operational definition will come
along?  Sure.  After all, this has already happened once.  Perhaps someone
equipped with both breadth and depth of experience in the field will manage
to craft a sufficiently-compelling argument that persuades the working
community that whatever-it-is they have in mind really is superior.
But it's pretty unlikely that this will happen merely because someone
doesn't understand the current definition or doesn't like it or thinks
it's too old.

---Rsk

[1] And I'm hardly the only one.  We've discussed this among some of
the more experienced people working in the anti-spam field and it seems
that many of us have a generous cross-section of spam from an assortment
of so-called "social networks".  I often refer to them as the "privacy
destruction industry" because as far as I can tell, their business models
are based on a combination of con jobs, deception, data harvesting and
brokering, privacy invasion, and abuse.  Certainly anyone who has been
paying attention during even just the last month knows that this montage
describes Facebook beautifully.

[2] There are a few other things worth noting here: of course, Johnny
Socialite is perfectly capable if sending out his own mail messages
from his own account using his own mail server and saying "I just joined
<blah> and you should too".  There is thus no reason whatsoever for such a
mechanism to exist -- *except* to send spam, and to harvest address books
so that the data can be accumulated and sold to anyone with cash-in-hand
-- including other spammers, some of whom find social graph information
quite useful.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.