iMessage Spam? [Update - Totally Easy to Spam]

Discussion in 'OS X Mountain Lion (10.8)' started by klaxamazoo, Feb 17, 2012.

  1. klaxamazoo, Feb 17, 2012
    Last edited: Feb 17, 2012

    klaxamazoo macrumors 6502

    Sep 8, 2006
    Now that iMessage is available for desktops it would be pretty easy to someone to set up a robo-spammer to just send junk mail type messages to everyone.

    Does iMessage do anything to make it so that only people on you Contacts list can message you?
  2. super tomtendo macrumors 6502a

    super tomtendo

    Aug 29, 2009
    Well, you need the persons Apple ID... and what would stop them from doing it on iDevices? It wouldn't just be a computer thing.
  3. qCzar macrumors regular

    Feb 27, 2011
    SFBA, CA
    Nope, you can register any e-mail with iMessage. In-fact I have multiple e-mails registered. iDevices aren't allowing it on a scale the OP is stating. Klax is thinking like Spam E-mails/Texts. It's hard on iOS because you need iMessage to send a message, with OS X it's probable that one can send iMessages with Automator.

    At least, that's my take.
  4. super tomtendo macrumors 6502a

    super tomtendo

    Aug 29, 2009
    But in order to send a message, you need to have the email/APPLE ID of the person.
  5. klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    That is just like how you need my e-mail address to send me spam and the vast majority of e-mails that go out are spam.

    i.e. if your AppleID is anything resembling a name or a word, you are getting Spammed.

    The difference between iMessage for iOS is that iOS is relatively locked-down and you would probably have to jail-break just to start abusing iMessage. On OSX, you don't need to jail break. You just need Automator or Applescript. It doesn't really matter if you have a list of real Apple ID's, you can just Spam Everything because the cost and overhead are low while the pay-off i.e. Notifications and Pop-Ups on All iOS and OSX devices is significantly larger than an e-mail that gets filtered by Google's Spam filter.

    Someone could also run a bunch of OS 10.8 virtual computers on just one computer using VMWare. Then they could really take advantage of scale.

    The question is. Other than someone needing to guess my Apple ID or phone number, what is protecting my phone and computer from iMessage Spam?
  6. super tomtendo macrumors 6502a

    super tomtendo

    Aug 29, 2009
    I would say yourself? Spam emails are from websites that you signed up with. Right? How else can someone get your emails? I hardly get any spam on my GMAIL account cause I only use it for legit websites.
  7. klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    You don't get it because GMail has an amazing Spam filter. You don't have to sign up for anything, just have a "normal" e-mail address and your e-mail address will receive Spam even if GMail filters it for you.

    That and "hardly" any spam is different from having your iPhone, iPad and computer all go off at the same time with someone's Spam message. Gmail spam is easy to ignore, phone spam is harder.

    Also, they don't need your Apple ID, iMessage can send to phone numbers too:

    One problem we noticed was that sending an iMessage to an iPhones phone number meant the message didn’t appear on the Mac – and vice versa – sending an iMessage to the email address didn’t appear on the iPhone…

    While I, personally, might not be able to get a specific individuals Apple ID, I sure as hell could come up with a few ten thousand legitimate ones just by using existing Spam e-mail lists, stripping the @... and replacing it with standards such as @gmail, @me, @mac, @hotmail, etc.

    Once again. What is protecting my iMessage account other than obscurity of my Apple ID?


    Right now, if someone wants to send a text message from my phone they have to pay for the text message service and are relatively traceable. That is gone with iMessage for OS X. Little Cost overhead and lots of exposure i.e. your phone actively alerting you to the message, your iPad alerting you, and your computer alerting you all at the same time and all with a pop-up window.

    It is annoying enough when I get the occasional text message spam, I can't imagine how annoying it would be if it was on the same level as e-mail spam.


    I wonder if iMessage completes messages sent to:

    Now they don't need your Apple ID. Just a list of the block of phone numbers that AT&T has.

    The article did have good information on how to block those annoying e-mail spams I was getting though.
  8. klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    Confirmed - Don't need anyone's Apple ID

    I just tested it. You don't need anyone's Apple ID, you can send messages to just a phone number and it is incredibly easy to get a list of valid phone numbers. Moreso than valid e-mail addresses since phone numbers follow a specific pattern

    So pretty much, there is nothing to stop iMessage Spam.
  9. klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    Unfortunately, it was really, really easy to make a Spam program.

    To test it out I wrote a quick program to cycle through a block of numbers that were allocated to Cingular back in the day, mixed in a little Automator to reducing coding time and got back about a 1 in 25 success rate. The iMessage message sent confirmation lets you know when you have a good number.

    This is pretty bad if someone as poor at coding as I am can make their own Spambot in less than an hour.

    I hope Apple either puts a good Spam filter in or makes it so that you can block messages from people that aren't on your contacts list.
  10. rorschach macrumors 68020


    Jul 27, 2003
    How is this any different from before? iChat could (can) send messages to people's phone numbers as texts.

  11. jayhawk11 macrumors 6502a


    Oct 19, 2007
    Exactly. Much ado about nothing.
  12. klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    I tested it on my SL computer. It works but not as well as Spam using iMessage.

    1) iChat is missing the confirmation which lets you know when you have a confirmed iMessage account and automatically add that phone number to a verified spam list. The verified spam list is nice because it saves time, i.e. you can run through a few ten thousand numbers, collect the verified ones and target just those in the future.

    2) The provider, AOLtxt, lets the Target block messages coming from a specific user

    3) The cell phone provider includes a message telling the Target how to STOP all AOL text messages. iMessage has none of that. A Target cannot stop iMessages from coming in.

    iChat SMS spam was not an issue because Targets had a way to stop it. iMessage targets have NO way to stop the Spam.

    iMessage is way more conducive to sending Spam with.
    1) You get confirmations letting you know when you have a valid Target
    2) These confirmations can be readily stripped and collected
    3) There is, currently, no way to for the Target to stop it
    4) You can send out a large number of messages at once by messaging 10 - 50 Targets at a time
    5) The messages will pop up on more devices all at the same time in a manner that is way more intrusive than e-mail.

    iMessage is a spammers wet dream.

    I filed a bug report, hopefully Apple will give the users some control over who they receive messages from just like they did for the AOLtxt.
  13. tkermit macrumors 68040


    Feb 20, 2004
    Except that Apple has complete control over the accounts of iMessage users including potential spammers, so they could just disable spam accounts as soon as they find out about them.
  14. klaxamazoo, Feb 18, 2012
    Last edited: Feb 18, 2012

    klaxamazoo thread starter macrumors 6502

    Sep 8, 2006
    A) You are assuming Apple finds them before you are spammed

    B) And the Spammers can just as easily make new ones. It isn't hard to make an Apple ID, all you need is an e-mail address

    C) 10,000 messages sent out last night tells me that Apple isn't even looking at this point.

    actually, as qCzar pointed out. iMessage can be tied to your e-mail account. The Spammer doesn't even need an Apple ID.
  15. haravikk macrumors 65816

    May 1, 2005
    This is pretty worrying, all it requires is for iMessages to have an option controlling who you receive iMessages from, e.g - Everyone, Friends + Address Book, Friends Only.

    Dead simple, and would be especially good if this applied across all devices, and with syncing it could even occur before it reached your device.

    This should really be combined with notifications of when someone has added you so you can deny the request or allow + add to friends and/or address book.
  16. Redemption.Man macrumors newbie

    Mar 21, 2012
    i was thinking out imessage spam when i found a way to annoy my friends via imessage. just wrote this blog post about it :

    with iMessage working on jailbroken devices it is only a matter of time before someone starts off imessage spam

Share This Page