Re: "Zuck" mail?

[Rich Kulawiec <rsk () gsp org>]

On Wed, Dec 29, 2010 at 11:38:54PM +0000, Paul Vixie wrote:
> what advice -- useful, pertinent, realistic advice -- can we give to facebook?

As other folks have noted here:

1. Do not create an account until/unless confirmation email is acted on.
Set a sunset date for that (a week?).   Track IP addresses which are trying
to create accounts; peer carefully at that subset which keep trying to
create accounts whose confirmation email messages are never acted on.
Make sure confirmation email messages include a negative as well as
a positive option.  Again, track IP addresses and scrutinize those
which keep trying to create accounts that get NAK'd.

2. Stop harvesting "address books", spamming everyone and everything
in them, and forging the [alleged] address of the sender into that spam.

3. Use the Spamhaus DROP list, inbound and outbound, on all network
traffic.

4. Pay attention to 5xx SMTP responses and stop banging away constantly
at addresses that don't exist any more.

5. Having done the above, notably 1 and 2, lead by example.  That is:
stand up in front of the community, explain why these things are necessary
not just for FB but for all sites, and challenge others to bring
their operations up to the same standard.

None of this is a panacea of course; there are a still a ton of issues
with FB and every other social networking site.  But everything above
is quite easy for anyone of even modest abilities.  Given that FB
has essentially unlimited funds, I presume that the employ some people
who have way more than that.

---rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.