funsec mailing list archives
Re: "Zuck" mail?
From: Rich Kulawiec <rsk () gsp org>
Date: Thu, 6 Jan 2011 16:38:55 -0500
On Wed, Dec 29, 2010 at 11:38:54PM +0000, Paul Vixie wrote:
what advice -- useful, pertinent, realistic advice -- can we give to facebook?
As other folks have noted here: 1. Do not create an account until/unless confirmation email is acted on. Set a sunset date for that (a week?). Track IP addresses which are trying to create accounts; peer carefully at that subset which keep trying to create accounts whose confirmation email messages are never acted on. Make sure confirmation email messages include a negative as well as a positive option. Again, track IP addresses and scrutinize those which keep trying to create accounts that get NAK'd. 2. Stop harvesting "address books", spamming everyone and everything in them, and forging the [alleged] address of the sender into that spam. 3. Use the Spamhaus DROP list, inbound and outbound, on all network traffic. 4. Pay attention to 5xx SMTP responses and stop banging away constantly at addresses that don't exist any more. 5. Having done the above, notably 1 and 2, lead by example. That is: stand up in front of the community, explain why these things are necessary not just for FB but for all sites, and challenge others to bring their operations up to the same standard. None of this is a panacea of course; there are a still a ton of issues with FB and every other social networking site. But everything above is quite easy for anyone of even modest abilities. Given that FB has essentially unlimited funds, I presume that the employ some people who have way more than that. ---rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: "Zuck" mail? Rich Kulawiec (Jan 06)