funsec mailing list archives
Re: But Facebook are not spammers - here's a screenshot
From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 5 Jun 2010 14:02:00 -0400
On Mon, May 24, 2010 at 01:32:56AM +0300, Gadi Evron wrote:
Attached is a screenshot of what a Facebook invite screen looks like. Tell me how this is spam, please? Be specific, so that we can discuss specifics.
<shrug> Screenshots have no relevance whatsoever. All that matters is whether or not Facebook is sending unsolicited bulk email. They are clearly sending email. They are clearly sending it in bulk. [1] [2] They are clearly sending it to recipients who never solicited it (including recipients who could not have solicited it, including recipients who are not users and recipients who have never existed). Everything else might be of peripheral interest, regarding the "how" and "why" and "what" and "who", but whatever the answers to these questions are, they do not alter in any way the fact that Facebook sends UBE, aka spam, from Facebook's spam generation mechanism on Facebook's domains on Facebook's servers on Facebook's network(s): it's therefore Facebook's spam. They're as responsible for it as they are for any other network traffic they emit. For example: suppose one of their web servers went bonkers and launched a DoS attack on another host somewhere. Their traffic: their responsibility. Of course in that hypothetical DoS case we might be able to presume that such an event was the result of a mistake, or a malfunction, or perhaps even an intruder. However, in *this* case it is obvious to all that this spam-generation mechanism, including the social engineering front-end, was carefully engineered not just to send spam but to evade blame for doing so via forgery: it is of course dishonest and fraudulent of Facebook to emit mail putatively from domains that have not explicitly authorized Facebook to emit mail on their behalf. None of this should surprise anyone who has been paying attention to Facebook's history, including that of its sleazy founder. Everyone knows (or darn well should know) that Facebook's "users" are not its users at all: they are merely the product. The entire operation is a social engineering scam designed to convince them to voluntarily provide their attention (which is a saleable commodity) and their private information (also a saleable commodity) to the REAL users of Facebook, who are those paying for these items. Just as obvious is that Facebook will sell either to anyone with sufficient cash-in-hand. Almost as obvious is that little, if anything, stops Facebook's employees from making their own deals. (Surely no one who has been attention will make the fanciful leap of imagination require to assume that there are any kind of internal access controls, audit capability, or anything else that might prevent this.) And only slightly less obvious than that is that their ongoing parade of massive security holes offers plentiful opportunities for third parties to avail themselves of substantial portions of that information and make *their* own deals. Perhaps one of these vectors explains how some spamtrap addresses only disclosed to Facebook via the very spamming mechanism we're discussing here have subsequently received spam from other sources. Either Facebook sold the data, or a Facebook employee sold the data, or someone who stole it sold the data. It's unknowable which, of course, but these experiments do provide an existence proof that a data disclosure path exists between Facebook and other spammers. Cue Captain Renault, who is shocked, shocked by this development. Given all this, spam may well be one of the *least* abusive things that Facebook does. But the inarguable fact remains that they do it. ---Rsk [1] The measurement point for "bulk" is not any one recipient's mailbox, nor any one mail server, nor any one network. It's "across the entire Internet". Thus it doesn't matter whether 172,163 messages are sent from one server to another; or 86,162 messages are sent from 86,162 servers to one; or 8,792,112 messages are sent from 371,325 servers to 571,912 other servers, or any other combination. Now, granted, if all such messages are directed to one host or to one address, we generally call such an N->1 event "mailbombing", but that's really just an edge case of spam that happens to have its own name. Note as well that highly distributed spamming operations weren't really extant until this decade, when they became possible thanks to the rise of the zombies and thanks to the willingness of corrupt hosters to provide services to prolific snowshoe operations. [2] We can distinguish this from ordinary mail traffic by noting, as Vernon often reminds us, that ordinary mail traffic initiated by ordinary users (including mailing list traffic) isn't bulk: that is, messages are individually composed by one user to send to another user (or more than one user, either by directly addressing them or submitting them to a mailing list). [Side note: of course, all traffic on a properly-operating mailing list is solicited via completion of a COI process anyway.] Contrast the non-bulk nature of this ordinary mail traffic with that emitted by Facebook: all messages are derived from a template which looks something like this: I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. It is completely obvious to everyone that this is bulk traffic. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...], (continued)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Gadi Evron (May 24)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] der Mouse (May 24)
- Re: But Facebook are not spammers - here's a screenshot Gadi Evron (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot der Mouse (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot Gadi Evron (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot rackow (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot David M Chess (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot Valdis . Kletnieks (Jun 03)
- Re: But Facebook are not spammers - here's a screenshot David M Chess (Jun 04)
- Re: But Facebook are not spammers - here's a screenshot der Mouse (Jun 04)
- Re: But Facebook are not spammers - here's a screenshot Rich Kulawiec (Jun 05)
- Re: But Facebook are not spammers - here's a screenshot Tomas L. Byrnes (Jun 19)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Valdis . Kletnieks (May 23)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Rich Kulawiec (May 25)
- Re: But Facebook are not spammers [was: And Facebook sells user data, too ...] Gadi Evron (May 25)
- Re: But Facebook are not spammers Paul Vixie (May 27)