Spam: Fighting the Machine



Spam is defined as "a canned meat product made mainly from ham."

Hm. Did you come here to read about ham?

Spam is also defined as "irrelevant or inappropriate messages sent on the Internet to a large number of recipients." That’s probably the definition we should discuss.

While spam is usually delivered via the Internet, it can also be distributed via traditional phone systems and cellular networks in the form of texts and phone calls.

Generally, spam refers to unsolicited:
  • Email
  • SMS messages (texts)
  • Social media messages
  • Phone calls

How do “they” get to me?

Several avenues are available for acquiring your contact information.
  • You gave them the information directly.
  • It is freely available on your social media profile.
  • It was leaked in a breach.
  • It was voluntarily shared by a 3rd party that you may or may not have authorized to sell/share your information.
But who are "they"?

Is it an individual person trolling me?

Most likely not. It’s usually one of two situations:
  • An actual spam bot/botnet run by people with dubious intent
  • An organization that wants you to buy their product/service
Bot - computer (likely part of a botnet) that is configured to perform a simple task repetitively over the Internet
Botnet - network of bots, usually very large in number

Some real-world information

  • A very relevant incident from just a few months ago – The River City Media spam list. This list contained over 1 billion contacts.
  • Twitter’s massive botnet – can be used to deliver spam
  • The Spamhaus Project – organization that fights spam delivery. They have taken heat in the past for their work.
  • Spam Nation” – Brian Krebs, a well-known security journalist, has documented and uncovered details about spam delivery networks. 

What can I do?

Before I list the options, let me point you to a great resource to use for monitoring your own accounts. This website - https://haveibeenpwned.com - is operated by a security professional named Troy Hunt, who lives in Australia and is well-known in the development security world. He’s also a Microsoft MVP and has authored/taught many development security courses.

Now for the options:

Option 1: Forward that message to me (or another trustworthy security professional friend of yours). I like examining and investigating these things, and I can help you put a stop to it as well. If it is a social media profile - go ahead and report the profile.

Option 2: Delete it and go on about your day.

Option 3: Click/Tap/Respond. This usually is the worst thing you can do in response to spam. You don’t know who it is or where it came from, so your curiosity is piqued. You want to know where it’ll take you. A saying about curiosity and felines comes to mind.

Additional resources:
https://haveibeenpwned.com
https://www.sophos.com/security-news-trends/best-practices/spam.aspx


Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this. This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email. I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station. Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict  here . So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server. Let's dig so
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more