Facebook’s phishing clean-up: A tad heavy-handed?


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

Is Facebook using the right tools for e-mail security? Original image Credit: jurek d via Flickr.

In poker, you never touch anyone else’s cards. Why? Because they’re not your cards. Likewise, when you sit down at a restaurant and there’s a tip on the table from the previous patron, you don’t touch it. Simple reason: It’s not your money.


I had a similar reaction this morning when Facebook reached its fingers into my inbox and deleted two messages without asking me. Granted, they were both phishing messages -- malicious spam, essentially -- from today’s attack. For many unsuspecting people, the mere presence of these messages would constitute a security threat, so Facebook’s eradicate-first-ask-questions-last approach is understandable. Nuke the virus before it causes more damage. But still, those messages had already been in my mailbox for hours. I had opened and examined them. They were my mail.

It’s true that I had a professional interest in retaining copies of the messages, since I’d written about them earlier. And it’s also true that most people probably wouldn’t mind having toxic spam removed without their permission. Who would want to keep it?

Still, it’s the principle. Facebook has made a policy of deleting e-mail it deems malicious, even after I’ve received, opened and read it. They get to decide when it’s appropriate to do that, not me. And while it’s clear that they’re taking these actions to protect users, they’re also protecting themselves, which means there’s a subjective element to this. And as is well-known, people don’t always agree with the decisions Facebook makes about content policing.

Hypothetical: What if I get suckered into a phishing scam and have my identity stolen? Do you think I’d want to have a copy of the original Facebook e-mail, including the text it contained and the time of receipt?

On the other side, this rather blunt nuclear option also catches some innocent fish. I sent several messages to myself that contained the phrase ‘’ in various contexts, including this one:

This message and all the others that mentioned ‘’ were rejected by Facebook’s mail system:


Again, no reason to fault Facebook for trying to protect its users. But I’m not sure mentioning the name of the bad site should drop the red hammer of doom on my messages, especially if they’re warnings. If the same principle were applied to Twitter, none of the hundreds of messages warning about the spread of the virus would’ve gotten out.

The detection and prevention of spam and scams should ideally happen before the mail gets to users, not after. But if Facebook gets hit by another worm, maybe they can add a warning band (like the one above) to iffy messages or even move them to a spam folder like Gmail or Hotmail might. That way, instead of the evidence disappearing without a trace, users could learn what malicious e-mail looks like -- the better to avoid getting burned next time.

-- David Sarno