mozilla/send

Report Function for Malicious Files

smrqdt opened this issue · 2 comments

I received some (kind of targeted) spam with a link to a ZIP file hosted on Firefox Send. The ZIP file contains some VBA-Script which probably doesn’t do any good if executed.

I clicked on it intending to report the file as malware to be removed, but I noticed there seems to be no such function. (I didn’t even find an mail address for that purpose, the legal text only contains a DCMA report address.)

Is there a any good reason why Send doesn’t offer a simple „Report File“ option like basically any other file sharing service?

fzzzy commented

Thank you for the report. We can't see the contents of what is sent via Send because it is encrypted. Send was deployed as a Test Pilot experiment in March of 2019, but hasn't been touched since then. We definitely should add Report File functionality.

Dmole commented

What could be done?

There is no way to verify a file is harmless before encryption that is not circumventable.

All current and future uploads from that IP could be blocked,
the report function could be abused in retaliation,
or disposable IPs could be used and blacklisting tor/vpn/etc is not likely to work.

A verified email registration could be required to upload.
passing the identity tracing to email/domain/hosting providers,
and blacklisting those that don't cooperate,
but even with zen.spamhaus.org and dmarc/spf/dkim we have not solved spam so that's unlikely to work.

Maybe use a trust tree system where emails/UUIDs are used to trust or report other accounts and if one has a bad score all sub accounts and the immediate linked parent account are banned or limited to only interact with their own group of up votes ... but that would rely on invasion of privacy (and if banning vs isolating more good people emails than not).

So maybe just treat it like the rest of the web; an unregulated wild west where users are responsible for their own digital hygiene.