This past September, Concordia University in Montreal took the step of banning Facebook access in libraries and study halls for its 40,000 students. The problem: a growing overload on University networks from email spam generated by spammers who were using student social network contacts as targets for their spam, coupled with increased exposure to hacking and phishing attacks.

Is targeting email addresses from social networks a new frontier for spammers?

"Spam has gone to Web 2.0 with social networking," said David Poellhuber, president and CEO of ZEROSPAM, a global provider of outsourced IT security services that include email filtering, high-availability DNS service, remote monitoring, and advanced email hosting. "By focusing on social networks, spammers have found that they can be even more targeted and pervasive with their emails than they can with traditional spam."

Social networks are ideal targets for spammers because the spammers gain access to a fresh group of users who are mostly tech-savvy young people. Although the targeted audience that the spammer selects might be a smaller group of people than he would spam traditionally, the spam utilizing contact lists from social networks is likely to result in more clicks.

"With Facebook and MySpace alone, we're still looking at a potential spamming target of 170 million social network account users," said ZEROSPAM's Poellhuber. "Spammers have found a way to adapt new technology for messaging, and they are also adapting Web 2.0. They have actually found a way to "defeat" this new technology and are writing new rogue and robot applications every day."

The Mechanics of Social Network Spamming
Here is how social network spamming works:

A spammer can create a phony social network profile and then send an invitation to an individual user, who responds by accepting - and then proceeds to receive spam - or the spammer can be phishing, where via an email message he gains a user's trust, user ID and password to the user's social network profile - and then gains access to the user's social network profile.

A second exposure point for social networks occurs because social networks are largely participated in by a young age group, such as university students and recent university alumni. Many younger people do not have the same security and privacy concerns as older adults.

"Fighting spam originating from social network contact lists is a tough challenge to address," said David Poellhuber. "This is because social networks are extraordinarily popular. A university taking the step of banning access to social networks on campus might be the best way to incite a riot. On the other hand, the education of young people on social network "best practices" that lessen the exposure to unwanted spam might be very effective."

Best Prevention Practices
One step social network users can take is to carefully evaluate their circle of social network friends. "The danger with many of these social network contact lists is volume," said Poellhuber. "After all, can one person really continuously manage 500 or 600 social network friends?"

A second key element of social network user education is sensitization to privacy. Social networks have tools that can be used to keep user information private, or to not show the entirety of a user profile to others on the network. While most young people shy away from using these privacy tools and resources, there is hope that more will use them as they gain awareness of the risks of availing their personal profiles to just anyone.

A third practice involves keeping your personal email address in a "safe" spot if you use social or professional networks. Integrating your email with a social network, or readily exposing your email address on your profile, invites spammers.

A fourth practice is not to respond to email senders you do not know who may have come to you through general channels, or through your use of social networks. Users should not ever provide a credit card number, a social security number or any other private information in an email response-and they should never respond to an email that requests them to type in a URL (uniform resource locator).

Finally, corporate users who also participate in social or professional networks can usually find a set of security and privacy guidelines published by their IT or security departments. "Many corporate IT departments now sensitize online users to the pitfalls of social networks and the risk of spam generated from participation in these networks through education," said David Poellhuber. "For example, some users like to post their email addresses next to their names. Not only is this again an invitation to spammers, but it exposes far more users. This is never a good thing to do, and most corporate IT guidelines will discourage it."

Final Remarks
Even as social network user education heats up, it will still be up to social networks operations to beef up their security and to network managers in businesses and organizations to control incoming email to their networks-and to screen out spam, prevent phishing and to keep their network perimeters clean.

Spam filtering techniques remain the same for social network-originated spam as they are for traditional spam. They include the use of heuristics, a rule set that scores each email message for the likelihood that it is spam, to virus detection, to "fingerprinting" technology that analyzes specific bit patterns that occur over and over again in messages, isolating any incoming bit patterns that do not conform. Network administrators simply have to realize that spammers continue to evolve their "cat and mouse" game with spam prevention technologies everyday-and that they have now opened up social networks as new avenues for spam.

The good news is that many social network spam prevention technologies are highly effective proactively. Nonetheless, there are also cases where the spam fighter must take a reactive role.

"There always are some limitations to be proactive in every case, but even in a reactive situation, we are making headway in our ability to respond quickly," said Poellhuber. "For example, if a spam comes in from Estonia at 10 a.m., we can be attacking and defeating it by 10:02 a.m."

The job is relentless. Poellhuber estimates that over 95 percent of today's email is spam - and that figure is not going down.

"Spam will be pervasive throughout applications, Websites, telephones, mobile devices and platforms, and spammers will invade every social network that they can," said Poellhuber, "But an effective combination of user education with the continued evolution of combative spam technology positions us with strong weapons for spam control."