Wednesday, 27 June 2012

Have you got anything without Spam?

Facebook decided yesterday that what everyone really needs is an @facebook email address while the rest of the world were of a different mind. I remember when Facebook started offering email addresses and I declined then as I decided that one more address to add the the two I already have is the last thing I want. I was a bit annoyed, therefore, to find that I now have one that can be hidden but not removed from my profile, like an embarrassing ink-stain on the pocket of a formal shirt. It is slightly amusing that anyone who has not claimed a for their profile page now has "pseudo-random-number"

Normally I would not be too worried about Facebook springing changes like this without notice, as they have done numerous times in the past. My main concern this time, however, is that emails can be sent from anywhere to this address and they appear identical to Facebook messages yet there is no spam filter nor anti-virus. Previously you would at least need to be logged in to the account from which you are sending the message making it hard, though not impossible, to spoof. It would appear that it is only possible to send emails from addresses that are already known by Facebook (doesn't this cripple email somewhat?) but with 900 million Facebook users it wouldn't be too difficult to forge addresses from the numerous spam mailing lists that are doing the rounds.

I have already checked that it is possible to send emails with attachments and links - still an effective way to spread trojans - although I haven't tried to send carefully crafted javascript that makes you a 'Fan' of Justin Bieber as soon as you open it (I sincerely hope this is not possible). Maybe Facebook has thought about this but I cannot find anything on the help system. Perhaps it was mentioned in the press release they forgot to send.

No comments:

Post a Comment