funsec mailing list archives
Re: But Facebook are not spammers [was: And Facebook sells user data, too ...]
From: Rich Kulawiec <rsk () gsp org>
Date: Sun, 23 May 2010 17:39:19 -0400
On Sat, May 22, 2010 at 02:27:57AM +0300, Gadi Evron wrote:
Facebook does not spam.
You're wrong. I have spam-in-hand. Case closed. [1] Now...why they do it, how they do it, whether there is an opt-out mechanism, why they forge mail from other domains without permission, etc., are all interesting questions, but the answers to those questions have absolutely no bearing on whether it's spam or not. We could also discuss what measure of culpability the marks handing over access to their address books bear for this, and certainly that's non-zero -- but since the spam comes from Facebook's deployed mechanism via Facebook's domains on Facebook's servers on Facebook's network, it's clearly Facebook's spam. [2] As to the proper definition of spam (unsolicited bulk email): it's served us very well for a long time. It's proved itself to be a more-than-worthy replacement for earlier extant terminology such as "mass mail abuse". During that time, I've seen many assertions that it needs modification. Those assertions, without exception, comes from two types of sources: 1. Spammers and their associates/enablers 2. Well-meaning but insufficiently-experienced people In the case of (1), this is so common that we have developed a phrase to encapsulate it: "Spam is that which we do not do". Vernon Schryver has accumulated a sizable list of these attempted redefinitions (with contributions from a number of folks, including me) and posted them here: http://www.rhyolite.com/anti-spam/that-which-we-dont.html I trust it's obvious why those engaged in spam or in supporting it would very much like to redefine spam as that which they do not do. Such attempts are of course uniformly rejected, as they must be. In case of (2), I find that these come from people who haven't worked in the field long enough to develop a full understanding of just what UBE means -- and just as importantly, what it doesn't mean. For instance, UBE does not imply "has a non-zero-length message body"; as we all know, null spam is still spam. Nor does it imply forgery. Nor does it matter whether there is an opt-out mechanism or not. Nor does it matter whether it is "certified". (This one is especially laughable given that certifiers are often paid by spammers to assert that their spam isn't spam.) Nor does it {insert much MUCH longer discussion here, much of which has taken place on spam-l and other similar places over the past few decades}. Is it possible that one day a better operational definition will come along? Sure. After all, this has already happened once. Perhaps someone equipped with both breadth and depth of experience in the field will manage to craft a sufficiently-compelling argument that persuades the working community that whatever-it-is they have in mind really is superior. But it's pretty unlikely that this will happen merely because someone doesn't understand the current definition or doesn't like it or thinks it's too old. ---Rsk [1] And I'm hardly the only one. We've discussed this among some of the more experienced people working in the anti-spam field and it seems that many of us have a generous cross-section of spam from an assortment of so-called "social networks". I often refer to them as the "privacy destruction industry" because as far as I can tell, their business models are based on a combination of con jobs, deception, data harvesting and brokering, privacy invasion, and abuse. Certainly anyone who has been paying attention during even just the last month knows that this montage describes Facebook beautifully. [2] There are a few other things worth noting here: of course, Johnny Socialite is perfectly capable if sending out his own mail messages from his own account using his own mail server and saying "I just joined <blah> and you should too". There is thus no reason whatsoever for such a mechanism to exist -- *except* to send spam, and to harvest address books so that the data can be accumulated and sold to anyone with cash-in-hand -- including other spammers, some of whom find social graph information quite useful. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: But Facebook are not spammers, (continued)
- Re: But Facebook are not spammers Valdis . Kletnieks (May 24)
- Re: But Facebook are not spammers Nick FitzGerald (May 24)
- Re: But Facebook are not spammers Valdis . Kletnieks (May 25)
- Re: But Facebook are not spammers Jim Murray (May 25)
- Re: But Facebook are not spammers Gadi Evron (May 25)
- Re: But Facebook are not spammers Remo Cornali (May 25)
- Re: But Facebook are not spammers Gadi Evron (May 25)
- Re: But Facebook are not spammers Remo Cornali (May 25)
- Re: But Facebook are not spammers Paul Vixie (May 27)
- Re: But Facebook are not spammers Gadi Evron (May 27)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Rich Kulawiec (May 23)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Gadi Evron (May 23)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] der Mouse (May 24)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Gadi Evron (May 24)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] der Mouse (May 24)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Gadi Evron (May 24)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] der Mouse (May 24)
- Re: But Facebook are not spammers - here's a screenshot Gadi Evron (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot der Mouse (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot Gadi Evron (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot rackow (Jun 03)