An open vector? Notification emails are an invitation to malware.

Do you use email notifications on your various social networks to keep yourself abreast of things? New followers on Twitter? Comments on your Facebook pages or pictures? Sophos has recently announced that they’ve discovered at least one new malware threat that exploits just this kind of traffic:

“Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph,” Sophos’ senior technology consultant, Graham Cluley said in a blog post today.

“SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients’ computers with malware.”

Cluley highlighted how to spot the malicious email notifications by a tell-tale sign, as Facebook is misspelled as “Faceboook”, with three “o”s.

The misspelling of the name is probably a means to get around your anti-spam software.

But the real concern is this: whenever you start blending potential vectors for malware – email plus Facebook, for example – you’re doubling the chances of chaos reigning. That either email or Facebook are vectors for viruses is a given. Putting the two together is a recipe for disaster.

Neither is Twitter immune from this same vector. I’ve been in the habit of using emails to notify me of new followers and direct messages for a while, but I’ve begun to rethink that habit. You only need a reasonably well-fashioned phishing email with a link to follow a person to hook a dupe. And I have to admit that, as careful as I’ve always been with security, this has been a blind spot that I’ve taken for granted.

But then, Twitter’s “notification system” is basically non-existent, isn’t it? You can be notified of incoming DM’s if you’re on the web version, but clients including Twitter’s own TweetDeck have to wait in line to be informed of DM’s. Half the reason I have email notifications turned on is specifically because TweetDeck makes a legitimate direct message conversation a near impossibility.

If DM traffic were given a more instantaneous, priority access to the API, it would go much farther towards ending email notifications. For me, anyway, and I suspect I am not alone. In fact, a separate section in the API dedicated to *just* notifications of the type normally sent via email would be great. Currently, the only notification system in place is for tracking other users’ activities.

While it is far from a flawless plan, social networking sites would do well to consider ways of making sure email notifications are entirely unnecessary: find a way to make communicating with the platform entirely internal.

By Tommy Belknap

Owner, developer, editor of DragonFlyEye.Net, Tom Belknap is also a freelance journalist for The 585 lifestyle magazine. He lives in the Rochester area with his wife and son.