Re: Google's "Shared Endorsements"

[Rich Kulawiec <rsk () gsp org>]

On Tue, Oct 22, 2013 at 06:11:46PM +0200, Dani??l W. Crompton wrote:
> [...] I'm unsure if a blanket statement such as "spammer-originated,
> abusive, invasive" apply here.

It does, in the sense that yes, that's where those originated.  That
doesn't mean that you're using them for the same reasons, only that's
where they started.  Let me explain.

Spammers used/use them for three reasons: first, to identify spamtraps.
This is highly useful intelligence, although they don't always use it
wisely.

Second, they track the N-tuple that caused the message to be read by
someone foolish enough to use an HTML-enabled mail client.  That N-tuple
might include (originating IP, message version, addressees, putative
sender, spam batch) or other information.  This in turn allows them to
narrowly target the particular recipient and to broadly assess the
effectiveness of any particular spam batch.

Third, they harvest metadata like the the IP address from which the
link was fetched as well as browser/mail client information.  This is
useful for the same reasons as point two (above) but it also provides
useful data for phishing and other attacks -- whether they use it
themselves or just accrue it and sell it to others.  (Consider all
the useful geolocation information contained in such databases.)

Not all of this is always accurate, of course; but it doesn't need to be.
Spammers work on a volume, volume, volume basis.  So even if some of
this is wrong or outdated, mishandled or corrupted, that really doesn't
mean much.  There's always another spam run tomorrow, and another chance
to acquire more data, and eventually, over a long enough time span
with enough runs, they'll get what they want.

I consider all of this highly abusive.  Others don't, primarily spammers
and their supporters, who have all kinds of spurious rationales for
invading the privacy and attacking the security of their victims.
But I do recognize that it's commonplace -- which I find very sad,
as the collective "we" really shouldn't tolerate this nonsense.

And this is one of many reasons why I don't use an HTML-enabled
mail client and recommend the same course of action to others.
I'm certain that the same people who do all this stuff are constantly
developing ever-more-sophisticated ways to attack Internet users,
because well, that's what they do.  (See, for example, the spammers
at LinkedIn, who are now doing it overtly.)  I don't blame them:
I blame us, because we haven't found the collective will to put a
stop to it -- which we could, in a day/week/month, if we acted together
and stuck to it.

---rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.