PDA

View Full Version : iMessage Spam? [Update - Totally Easy to Spam]




klaxamazoo
Feb 17, 2012, 01:19 PM
Now that iMessage is available for desktops it would be pretty easy to someone to set up a robo-spammer to just send junk mail type messages to everyone.

Does iMessage do anything to make it so that only people on you Contacts list can message you?



super tomtendo
Feb 17, 2012, 01:23 PM
Now that iMessage is available for desktops it would be pretty easy to someone to set up a robo-spammer to just send junk mail type messages to everyone.

Does iMessage do anything to make it so that only people on you Contacts list can message you?

Well, you need the persons Apple ID... and what would stop them from doing it on iDevices? It wouldn't just be a computer thing.

qCzar
Feb 17, 2012, 01:30 PM
Well, you need the persons Apple ID... and what would stop them from doing it on iDevices? It wouldn't just be a computer thing.

Nope, you can register any e-mail with iMessage. In-fact I have multiple e-mails registered. iDevices aren't allowing it on a scale the OP is stating. Klax is thinking like Spam E-mails/Texts. It's hard on iOS because you need iMessage to send a message, with OS X it's probable that one can send iMessages with Automator.

At least, that's my take.

super tomtendo
Feb 17, 2012, 01:34 PM
Nope, you can register any e-mail with iMessage. In-fact I have multiple e-mails registered. iDevices aren't allowing it on a scale the OP is stating. Klax is thinking like Spam E-mails/Texts. It's hard on iOS because you need iMessage to send a message, with OS X it's probable that one can send iMessages with Automator.

At least, that's my take.

But in order to send a message, you need to have the email/APPLE ID of the person.

klaxamazoo
Feb 17, 2012, 01:42 PM
But in order to send a message, you need to have the email/APPLE ID of the person.

That is just like how you need my e-mail address to send me spam and the vast majority of e-mails that go out are spam.

i.e. if your AppleID is anything resembling a name or a word, you are getting Spammed.

The difference between iMessage for iOS is that iOS is relatively locked-down and you would probably have to jail-break just to start abusing iMessage. On OSX, you don't need to jail break. You just need Automator or Applescript. It doesn't really matter if you have a list of real Apple ID's, you can just Spam Everything because the cost and overhead are low while the pay-off i.e. Notifications and Pop-Ups on All iOS and OSX devices is significantly larger than an e-mail that gets filtered by Google's Spam filter.

Someone could also run a bunch of OS 10.8 virtual computers on just one computer using VMWare. Then they could really take advantage of scale.

The question is. Other than someone needing to guess my Apple ID or phone number, what is protecting my phone and computer from iMessage Spam?

super tomtendo
Feb 17, 2012, 01:45 PM
The question is. Other than someone needing to guess my Apple ID or phone number, what is protecting my phone and computer from iMessage Spam?

I would say yourself? Spam emails are from websites that you signed up with. Right? How else can someone get your emails? I hardly get any spam on my GMAIL account cause I only use it for legit websites.

klaxamazoo
Feb 17, 2012, 02:03 PM
I would say yourself? Spam emails are from websites that you signed up with. Right? How else can someone get your emails? I hardly get any spam on my GMAIL account cause I only use it for legit websites.

You don't get it because GMail has an amazing Spam filter. You don't have to sign up for anything, just have a "normal" e-mail address and your e-mail address will receive Spam even if GMail filters it for you.

That and "hardly" any spam is different from having your iPhone, iPad and computer all go off at the same time with someone's Spam message. Gmail spam is easy to ignore, phone spam is harder.

Also, they don't need your Apple ID, iMessage can send to phone numbers too:

One problem we noticed was that sending an iMessage to an iPhones phone number meant the message didn’t appear on the Mac – and vice versa – sending an iMessage to the email address didn’t appear on the iPhone…

http://gourmetpixel.com/blog_wordpress/?p=85

While I, personally, might not be able to get a specific individuals Apple ID, I sure as hell could come up with a few ten thousand legitimate ones just by using existing Spam e-mail lists, stripping the @... and replacing it with standards such as @gmail, @me, @mac, @hotmail, etc.

Once again. What is protecting my iMessage account other than obscurity of my Apple ID?

----------

Right now, if someone wants to send a text message from my phone they have to pay for the text message service and are relatively traceable. That is gone with iMessage for OS X. Little Cost overhead and lots of exposure i.e. your phone actively alerting you to the message, your iPad alerting you, and your computer alerting you all at the same time and all with a pop-up window.

It is annoying enough when I get the occasional text message spam, I can't imagine how annoying it would be if it was on the same level as e-mail spam.

----------

http://reviews.cnet.com/8301-19512_7-20102542-233/how-to-block-text-message-spam-on-your-iphone-at-t/

I wonder if iMessage completes messages sent to:
yourmobilenumber@txt.att.ne

Now they don't need your Apple ID. Just a list of the block of phone numbers that AT&T has.



The article did have good information on how to block those annoying e-mail spams I was getting though.

klaxamazoo
Feb 17, 2012, 02:51 PM
I just tested it. You don't need anyone's Apple ID, you can send messages to just a phone number and it is incredibly easy to get a list of valid phone numbers. Moreso than valid e-mail addresses since phone numbers follow a specific pattern


So pretty much, there is nothing to stop iMessage Spam.

klaxamazoo
Feb 18, 2012, 12:00 AM
Unfortunately, it was really, really easy to make a Spam program.

To test it out I wrote a quick program to cycle through a block of numbers that were allocated to Cingular back in the day, mixed in a little Automator to reducing coding time and got back about a 1 in 25 success rate. The iMessage message sent confirmation lets you know when you have a good number.

This is pretty bad if someone as poor at coding as I am can make their own Spambot in less than an hour.

I hope Apple either puts a good Spam filter in or makes it so that you can block messages from people that aren't on your contacts list.

rorschach
Feb 18, 2012, 02:22 AM
How is this any different from before? iChat could (can) send messages to people's phone numbers as texts.

http://i.imgur.com/96xCU.jpg

jayhawk11
Feb 18, 2012, 03:13 AM
How is this any different from before? iChat could (can) send messages to people's phone numbers as texts.

Image (http://i.imgur.com/96xCU.jpg)

Exactly. Much ado about nothing.

klaxamazoo
Feb 18, 2012, 08:59 AM
How is this any different from before? iChat could (can) send messages to people's phone numbers as texts.

Image (http://i.imgur.com/96xCU.jpg)

I tested it on my SL computer. It works but not as well as Spam using iMessage.

1) iChat is missing the confirmation which lets you know when you have a confirmed iMessage account and automatically add that phone number to a verified spam list. The verified spam list is nice because it saves time, i.e. you can run through a few ten thousand numbers, collect the verified ones and target just those in the future.

2) The provider, AOLtxt, lets the Target block messages coming from a specific user

3) The cell phone provider includes a message telling the Target how to STOP all AOL text messages. iMessage has none of that. A Target cannot stop iMessages from coming in.



iChat SMS spam was not an issue because Targets had a way to stop it. iMessage targets have NO way to stop the Spam.



iMessage is way more conducive to sending Spam with.
1) You get confirmations letting you know when you have a valid Target
2) These confirmations can be readily stripped and collected
3) There is, currently, no way to for the Target to stop it
4) You can send out a large number of messages at once by messaging 10 - 50 Targets at a time
5) The messages will pop up on more devices all at the same time in a manner that is way more intrusive than e-mail.


iMessage is a spammers wet dream.


I filed a bug report, hopefully Apple will give the users some control over who they receive messages from just like they did for the AOLtxt.

tkermit
Feb 18, 2012, 09:14 AM
iMessage is a spammers wet dream.

Except that Apple has complete control over the accounts of iMessage users including potential spammers, so they could just disable spam accounts as soon as they find out about them.

klaxamazoo
Feb 18, 2012, 09:29 AM
Except that Apple has complete control over the accounts of iMessage users including potential spammers, so they could just disable spam accounts as soon as they find out about them.

A) You are assuming Apple finds them before you are spammed

B) And the Spammers can just as easily make new ones. It isn't hard to make an Apple ID, all you need is an e-mail address

C) 10,000 messages sent out last night tells me that Apple isn't even looking at this point.[COLOR="#808080"]



actually, as qCzar pointed out. iMessage can be tied to your e-mail account. The Spammer doesn't even need an Apple ID.

haravikk
Feb 18, 2012, 01:40 PM
This is pretty worrying, all it requires is for iMessages to have an option controlling who you receive iMessages from, e.g - Everyone, Friends + Address Book, Friends Only.

Dead simple, and would be especially good if this applied across all devices, and with syncing it could even occur before it reached your device.

This should really be combined with notifications of when someone has added you so you can deny the request or allow + add to friends and/or address book.

Redemption.Man
Mar 21, 2012, 05:56 PM
i was thinking out imessage spam when i found a way to annoy my friends via imessage. just wrote this blog post about it :http://redemptionman.com/2012/02/07/imessage-spam/

with iMessage working on jailbroken devices it is only a matter of time before someone starts off imessage spam