Re: But Facebook are not spammers - here's a screenshot

[Rich Kulawiec <rsk () gsp org>]

On Mon, May 24, 2010 at 01:32:56AM +0300, Gadi Evron wrote:
> Attached is a screenshot of what a Facebook invite screen looks
> like. Tell me how this is spam, please? Be specific, so that we can
> discuss specifics.

<shrug> Screenshots have no relevance whatsoever.  All that matters
is whether or not Facebook is sending unsolicited bulk email.

They are clearly sending email.

They are clearly sending it in bulk. [1] [2]

They are clearly sending it to recipients who never solicited it
(including recipients who could not have solicited it, including
recipients who are not users and recipients who have never existed).

Everything else might be of peripheral interest, regarding the "how"
and "why" and "what" and "who", but whatever the answers to these
questions are, they do not alter in any way the fact that Facebook
sends UBE, aka spam, from Facebook's spam generation mechanism on
Facebook's domains on Facebook's servers on Facebook's network(s):
it's therefore Facebook's spam.  They're as responsible for it as
they are for any other network traffic they emit.  For example:
suppose one of their web servers went bonkers and launched a DoS attack
on another host somewhere.  Their traffic: their responsibility.

Of course in that hypothetical DoS case we might be able to presume
that such an event was the result of a mistake, or a malfunction, or
perhaps even an intruder.  However, in *this* case it is obvious to all
that this spam-generation mechanism, including the social engineering
front-end, was carefully engineered not just to send spam but to evade
blame for doing so via forgery: it is of course dishonest and fraudulent
of Facebook to emit mail putatively from domains that have not explicitly
authorized Facebook to emit mail on their behalf.

None of this should surprise anyone who has been paying attention to
Facebook's history, including that of its sleazy founder.  Everyone knows
(or darn well should know) that Facebook's "users" are not its users
at all: they are merely the product.  The entire operation is a social
engineering scam designed to convince them to voluntarily provide their
attention (which is a saleable commodity) and their private information
(also a saleable commodity) to the REAL users of Facebook, who are
those paying for these items.  Just as obvious is that Facebook will
sell either to anyone with sufficient cash-in-hand.

Almost as obvious is that little, if anything, stops Facebook's employees
from making their own deals.  (Surely no one who has been attention
will make the fanciful leap of imagination require to assume that there
are any kind of internal access controls, audit capability, or anything
else that might prevent this.)  And only slightly less obvious than that
is that their ongoing parade of massive security holes offers plentiful
opportunities for third parties to avail themselves of substantial
portions of that information and make *their* own deals.

Perhaps one of these vectors explains how some spamtrap addresses only
disclosed to Facebook via the very spamming mechanism we're discussing
here have subsequently received spam from other sources.  Either Facebook
sold the data, or a Facebook employee sold the data, or someone who
stole it sold the data.  It's unknowable which, of course, but these
experiments do provide an existence proof that a data disclosure path
exists between Facebook and other spammers.  Cue Captain Renault, who
is shocked, shocked by this development.

Given all this, spam may well be one of the *least* abusive things that
Facebook does.  But the inarguable fact remains that they do it.

---Rsk

[1] The measurement point for "bulk" is not any one recipient's mailbox,
nor any one mail server, nor any one network.  It's "across the entire
Internet".  Thus it doesn't matter whether 172,163 messages are sent
from one server to another; or 86,162 messages are sent from 86,162
servers to one; or 8,792,112 messages are sent from 371,325 servers to
571,912 other servers, or any other combination.  Now, granted, if all
such messages are directed to one host or to one address, we generally
call such an N->1 event "mailbombing", but that's really just an edge
case of spam that happens to have its own name.  Note as well that
highly distributed spamming operations weren't really extant until
this decade, when they became possible thanks to the rise of the
zombies and thanks to the willingness of corrupt hosters to provide
services to prolific snowshoe operations.

[2] We can distinguish this from ordinary mail traffic by noting,
as Vernon often reminds us, that ordinary mail traffic initiated by
ordinary users (including mailing list traffic) isn't bulk: that is,
messages are individually composed by one user to send to another user
(or more than one user, either by directly addressing them or submitting
them to a mailing list).  [Side note: of course, all traffic on a
properly-operating mailing list is solicited via completion of a COI
process anyway.]  Contrast the non-bulk nature of this ordinary mail
traffic with that emitted by Facebook: all messages are derived from a
template which looks something like this:

        I set up a Facebook profile where I can post my pictures,
        videos and events and I want to add you as a friend so you
        can see it. First, you need to join Facebook! Once you join,
        you can also create your own profile.

It is completely obvious to everyone that this is bulk traffic.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.