At some point in the recent past, a weary anti-spammer, tired of explaining to people proposing their own Final Ultimate Solution to the Spam Problem (FUSSP) why their proposal wouldn't work, drew up a form letter outlining the major objections to their scheme, whatever it might be. Whoever wrote this was obviously very familiar with FUSSPs in all their forms.
Today, Facebook announced their intention to release a new messaging service with an email component, Facebook Messages. Some optimists are already hailing Facebook Messages as a FUSSP. Are they right?
At this stage, it's probably too early to say for certain, because most of us don't know in detail how Facebook Messages will work. I can make a few observations, however.
The first observation is that Facebook Messages isn't designed primarily as a FUSSP. Its real purpose is to allow Mark Zuckerberg's monstrous progeny to reach its oily tentacles into another part of your life, increasing your dependence and opening up new seams of personal data for Facebook to exploit. Any spam-fighting properties it may have are strictly secondary to that objective.
The second is that Facebook is actually better placed than many to create a FUSSP, simply because they don't mind throwing existing practice out of the window. One of the commonest objections to FUSSPs, as given in the form letter, is that they require the reinvention or modification of SMTP in some way. If we can just make this small change to the way SMTP works, says the FUSSP inventor, we can end spam forever. With SMTP software deployed across millions of machines, that 'small change' simply isn't going to happen. But Facebook isn't trying to patch SMTP or anything else: it's building its own messaging platform. Facebook Messages will send and receive via SMTP, but it's not primarily an SMTP service. That gives the designers more latitude.
So, if Facebook Messages doesn't have to play by the existing rules, does that mean that you won't be able to spam someone using Facebook Messages? To answer this, we have to turn to what Facebook have actually told us about Messages. The announcement in the Facebook blog has this to say.
With new Messages, your Inbox will only contain messages from your friends and their friends. All other messages will go into an Other folder where you can look at them separately. If someone you know isn't on Facebook, that person's email will initially go into the Other folder. You can easily move that conversation into the Inbox, and all the future conversations with that friend will show up there.
Reading between the lines, that's a description of an extreme whitelist. Your Inbox will only contain messages from your Facebook friends, plus people who you specifically select. Everything else lands in your Other folder.
The Other folder will contain messages that arrive via SMTP, which means that as soon as your Facebook email address leaks, your Other folder will fill with spam. Your Facebook email address will leak. Your friend's computer will get a virus that scans their address book. Or, given that your email will match your Facebook username, the spammers can just make a list of all known Facebook user pages and turn it into a list of addresses to spam. I don't even have a Facebook email address yet, and already the spammers know where to find me.
So your Other folder is full of spam. That's cool. You don't have to look at it. Of course, if you don't look at it, you'll never see that email from someone you really want to talk to but who you haven't whitelisted yet. So most people will want to look at their Other folder from time to time which means wading through the spam, just as they would in any other mail system. Great.
How about the Inbox - can you ever get any spam in there? After all, the Inbox is reserved for people who are actually your friends on Facebook. It's not just a whitelist; it's a whitelist that is backed by Facebook's user authentication. Bulletproof, no?
Well, no. There are several routes that a spammer can use to get spam into your Inbox.
First is via good old SMTP. Remember that Facebook allows you to move messages from your spam-filled Other folder to your Inbox, effectively whitelisting the sender. Messages coming from outside Facebook are coming via SMTP, which means that they're unauthenticated. You've told Facebook that it's OK to accept messages from a certain email address - but spammers can put anything they want in the 'From' line. If they can generate an email address that you've whitelisted, their message is going in your Inbox. Remember that virus that scans address books? When the spammer finds a Facebook email address in an address book, they just hit it with every other address in the list. Chances are something will go through. Or they just send a message with your own address in the 'From' line, knowing that lots of people whitelist their own mail addresses. And so on. If you whitelist any SMTP sender, you are opening yourself up to spam in your Inbox.
What about spam originating from within Facebook? That's possible too. Remember that Messages will deliver not just mail from your Friends, but also from Friends of Friends. You may be very careful about who you accept as a Friend, but I'll guarantee that not all your Friends are so scrupulous. Lots of Facebook users have a 'collect the set' attitude to adding Friends. The more Friends they have, the happier they feel. So all a spammer needs to do is make a fake Facebook account, upload a profile picture of a hot babe and start sending out friend requests. Some are bound to get accepted. Moreover, the odds are that the people who accept the requests will have truly huge Friend lists. Every one of their Friends can then be targeted with spam that will go straight into their Inbox. Holy spam bonanza, Batman.
But at least your real Friends won't spam you, right? Wrong again. Remember why we have so much spam at the moment? Remember the gazillion hijacked PCs that spend their days spewing crap because someone was tricked into clicking on an executable attachment or Microsoft didn't patch a zero-day exploit in time? Those PCs won't magically stop getting compromised when Facebook Messages launches, but instead of spam relays, they'll be loaded with keyloggers and other specialized software designed to steal Facebook passwords. If that doesn't work, there's always phishing. Or Firesheep. Your Facebook Friends will get their passwords stolen. You will get spam from them.
Unless Facebook have some remarkable tricks up their sleeve or the system works very differently from the way that their blog post suggests, Facebook Messages is very quickly going to become what we computer security professionals describe as 'spammy as hell'.
One more thing: Facebook Messages is also being touted as a Gmail killer. It isn't, and it isn't designed to be. Facebook's own description makes it sound as if it's what you'd get if an email client and an instant messaging program drank too much really cheap tequila and ended up having a drunken one-night stand. The result is a partly crippled compromise with the worst features of each parent. People who need useful features like Cc: fields or Subject: lines are still going to be using email and traditional email clients. And that means that email spam isn't going away any time soon.