Hold the phone: iMessage spam not all it's cracked up to be

Is Apple's iMessage the new favorite tool of spammers worldwide? A widely-quoted recent article written by Wired's Robert McMillan suggests it is, even going so far as to  claim that iMessage "is being taken over by spammers."

Largely based on an interview with security analyst Tom Landesman, McMillan states that, thanks of a few enterprising fraudsters who have figured out a way to take advantage of Apple's networks, iMessage accounts for some 30 percent of all mobile spam, and that the company's efforts at stemming the onslaught of unwanted messages are moving too slowly to catch up with the spammers.

But is the problem really that dire? A closer look at the numbers suggests that the iMessage spampocalypse may be a ways off yet.

A very real problem

Let's start with the bad news: iMessage spam is a real thing. Although I haven't personally fallen victim to it, Macworld editors Dan Frakes and Dan Moren have each seen the emoji-laden marketing pitches, as has Daring Fireball's John Gruber. A quick Twitter search turns up a smattering of other reports, which also appear on a number of Apple-related forums.

This is, sadly, hardly a surprise. Like lighting a fire, spamming requires three ingredients: a network that lends itself to abuse, a large list of users, and low cost--all features that iMessage offers in spades.

Sending automated messages from a Mac without any user intervention is a surprisingly easy operation: all it requires is a single line of AppleScript. There are entirely legitimate uses for this feature; for example, I routinely use iMessage on my iMac to send notifications to my iPhone and iPad when our servers at work go down. It's an inexpensive--and very effective--way of avoiding having to wake up in the morning to an inbox full of complaints from angry customers who couldn't access our services overnight.

In the wrong hands, however, the ability to indiscriminately send virtually unlimited messages can spell disaster, particularly when you couple it with the fact that, unlike traditional SMS messages, iMessage is completely free. One simply has to build a script capable of reading through a list of numbers and email addresses and then blast out messages to them one by one. And Apple makes this extra easy by conveniently disclosing whether a particular number or address is, in fact, capable of receiving iMessages.

Hold the, uh, phone

That's a far cry, however, from claiming that nearly a third of all mobile spam is generated through iMessage.

We reached out to Cloudmark, the company Mr. Landesman works for. Cloudmark's focus is spam research and prevention--particularly in the mobile world, where the company manages the global spam reporting system run by the GSMA, an industry association with deep ties to the mobile market.

In an email conversation via Cloudmark's public relations department, Landesman provided some additional insight into the numbers behind the Wired article.

For starters, the information that Cloudmark provided Wired was specifically limited to the United States for the months of June, July, and August of 2014. This is important, because the U.S. is one of Apple's largest markets; if the numbers were reported on a global scale, it's entirely possible that the percentage of spam attributable to iMessage could change significantly--and, perhaps, be less sensational.

More importantly, the data was, according to Landesman, based not on all spam, but on unwanted messages reported to the GSMA's Spam Reporting Services (SRS for short), a tool that allows users to forward spam to a special short-code phone number. This biases the data in a way that makes it hard to use in determining the seriousness of iMessage's spam problem--after all, there is no way to tell whether iPhone users are more or less likely to report problematic messages than users of other platforms. Considering the fact that study after study have confirmed that those who call Apple's ecosystem home tend to be more engaged with their devices, this is a very real possibility.

Soft numbers are hard to understand

The biggest problem with the numbers in Wired's article, however, is that percentages are relative. Without knowing the figure they're based on, it's impossible to say exactly what scale they represent.

Luckily, Landesman was kind enough to share an order-of-magnitude idea of the volume of spam messages that Cloudmark monitors, explaining that he estimates "that we've seen several million iMessage SMS spam messages a month in the United States."

By comparison, during the company's last annual shareholders meeting, CEO Tim Cook stated that the Apple handles several billion iMessage communications every day--presumably more than the 2 billion per day he reported in 2013. A rough, back-of-the-envelope calculation, then, puts iMessage's monthly traffic at around 100 billion messages.

That means that the worst possible interpretation of Landesman's estimate pins the amount of spam at 1 percent of the overall traffic. That's assuming that "several million messages" translates into "just shy of one billion," however; a more common-sense approach of, say, 10 million spam messages a month would translate into a 0.01 percent spam ratio.

All things considered, then, it's at best premature to claim that iMessage is "being overrun by spammers." While the problem is definitely real, the numbers that would support this kind of statement are simply not there.

In the meantime, if you're concerned about unwanted messages, you can simply limit iMessage to only work with people on your contact list, and report spam directly to Apple.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplespamantispamsecurityWeb & communication softwareimessageMessagestwitter

More about AppleCloudmark

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place