SPAM & Phishing

Related Phishing Variation Articles:

  1. Vishing
  2. SMiShing
  3. Spy-Phishing
  4. Pharming
  5. Watering Hole Attacks
  6. SPAM

Spam, aka those annoying, unsolicited emails that seem to always end up in your inbox, is the basic “food” of phishing. Why? Because it’s cheap and easy to send spam and needs a very low rate of clicks to reap rewards.

 A Brief History of Spam

 Spam is one of the oldest forms of online abuse; in fact, the first message considered “spam” was sent on May 3, 1978, when the internet was still called ARPAnet. A computer salesman named Gary Thuerk sent an unsolicited email to hundreds of users announcing an upcoming sales event. The reaction was swift and largely negative, but the genie was out of the bottle.

 As the internet developed and grew, so did spam; by 1994 it had spread to the Usenet bulletin boards and then to email. That same year it officially earned its moniker “spam” – the name was inspired both by the cheap food in a can and the Monty Python skit where Vikings chant “Spam” over and over every time the word is mentioned.

Security Awareness

By 2003 it was such a problem that the first anti-spam legislation, called the CAN-SPAM Act, was signed into law by President George W. Bush. In spite of a slew of prosecutions in the following years, including a $900,000 fine against Jumpstart Technologies, spam has continued unabated – most spam senders operate in the shady dark web and rarely get caught or prosecuted.

How Spam Works

It’s essentially very easy to send out spam. All you need is an email program, a bunch of addresses, and a link for people to click. But a handful of email addresses and a regular email program will unlikely be enough to really reap the rewards; many consumer email programs will limit the number you can send in a day in order to prevent this kind of abuse.

But spam is all about volume: The more you send, the more money you will potentially make. A joint study by UC San Diego and UC Berkeley found that 1 out of every 12,500,000 emails will result in a click, or less than 0.00001 percent. But since there are over 200 billion spam emails sent every year it’s estimated that a spammer can earn about $3.5 million dollars annually even with these low odds.

Where Do They Get the Emails?

Spammers and scammers have many methods, both legit and unsavory, to get addresses. Currently, there are hundreds of companies that advertise online promising to give you working email addresses from consumers who have “opted in” (i.e. agreed to receive email solicitations); however, most of these companies operate outside of the U.S. and outside of the law.

Then there is the black market, where a personal email address can fetch up to $100 in Russia, one of the main sources of spam. More common are data breaches, where email accounts are leaked and shared or traded with other spam gangs.

Other methods involve scouring the internet and scraping emails from websites and forms, or a tactic in which spammers send millions of random emails to giant sites like Google, Hotmail, or AOL, collecting the names that don’t bounce back. Sometimes they’ll even set up phony web forms offering free iPads or the like, with users unwittingly opting-in for a spam attack.

How Do They Send Spam Emails?

Once they’ve got their hands on millions of email addresses, the dirty work begins. But they don’t write and press send on every single email, they have their bots do it. A bot is essentially a compromised computer (someone who clicked on a link they shouldn’t have) that is connected to thousands of other bots around the world.

Like something out of the Matrix, these bots form a network (or botnet), and band together to spew their spam. This makes it harder to shut them down and easier for the true sender to hide their identity. Most of the time, the owners of these computer-turned-bots don’t even know they’ve been compromised until they receive hundreds of bounce-backs or they are blacklisted by their ISP.

Defensive Measures Against Spam

Because of the sheer volume of spam hogging bandwidth and flooding inboxes, companies, governments, and ISPs are constantly devising methods to prevent it from being sent and/or received. As mentioned earlier, there are blacklists created by companies like SpamCop and SpamHaus. These blacklists are often used by large corporations and ISPs to filter out the junk; however, it sometimes blocks legitimate messages or unwitting bots.

Then there are spam filters, which can block out certain spammy words or phrases (“cheap Viagra” anyone?) There are many companies that sell filtering programs, and most email programs have a default setting that can be customized for the user; flagged emails can be sent into their own spam folder. Some companies and providers also offer permission filters, where an email from an unknown source must first be approved by the recipient. Spam filters can also block malicious attachments, preventing them from ever reaching a user’s inbox.

Countermeasures by Spammers

But just when you think you’ve got the spammers beat, they seem to come up with another way to slip past the safeguards. In the beginning, they started replacing letters with numbers (“ch3ap V1@gra” anyone?) or generating random letters to appear at the end of each subject line, which can confuse some filters to think it’s from a real person.

Hackers, spammers, and phishers are continually developing and using other spam-disguising techniques and sharing them with other thieves. These include putting the sales pitch in an image so the filter won’t catch any trigger words, and some have found a way to use Google Translate, URL shorteners, and compromised WordPress blogs to circumvent being blacklisted. Another popular trick is to use homographs, meaning characters that look the same (like a capital “I” and lowercase “l”) to spoof real website URLs; often letters from another alphabet like Cyrillic or Greek are substituted as well.

One of the newest threats is a variation on the brute force attack, where spammers try as many combinations of something until it clicks. They used to do it primarily with email addresses and passwords, but now they are attempting to exploit vulnerabilities in subdomains of legit company websites to send spam. For example, they will try millions of different subdomains (,, etc.) until one of them allows mail to be sent. This increases their legitimacy in the eyes of both the filter and the recipient, making them more likely to be opened.

In other words, fighting spam is a constant battle and it takes a continually evolving variety of tools and resources to do so. Last but not least, it requires vigilance on the part of the recipient, aka “you.”

How to Fight Spam

Perhaps the most important rule when it comes to any suspected spam in your inbox is do NOT click the links! The most obvious ones to spot are offers for cheap pharmaceuticals, which account for 81% of spam. If you need medication, buy it from a reputable source!

Next, flag the email (you can click on an email to flag it without compromising your computer) as junk or spam – most filters will then learn/adjust to block any further attempts from that recipient. You should also alert your IT person/department if you have one.

TIP: Do NOT click the “Unsubscribe” button on any obvious spam email, as this is another trick they use to hack you – yes, they are that clever!

If you want to go a step further, you can copy the headers and report it to a site like SpamCop, who will then put it on a blacklist.

Another good idea is to keep your email address as private as possible. If you have to put it on a website, don’t write it as a hyperlink (as spammers can harvest it) – instead write it out. A popular method is: youremail [at] yourisp [dot] com.

If you open your mailbox and find it filled with hundreds of emails bouncing back that you never sent, your address has either been spoofed or your account has been hacked. When this happens, change your password immediately and contact IT. (Your IT department can prevent this from happening by creating an SPF record which limits the domains that can send emails on your behalf.) You may want or need to create a temporary filter, but eventually these emails will subside.

If you accidentally clicked on a link or suspect you have been hacked, take the computer offline and once again contact your IT department immediately.

InfoSec is Here to Help

While it’s one thing to read an article about spam (and congratulations for doing so), the truth is you and your company are likely still vulnerable. The best way to test your spam-savviness is by setting up a free account at InfoSec:

On the site are training modules, videos, articles, and even simulators that can send out fake spam emails to your co-workers. However, instead of leading them to cheap Cialis or the like, anyone that clicks on the link will be diverted to the InfoSec website, where they will watch a short video informing them that they have been spammed.

We hope these tools will help you “can” spam for good and keep your inbox, your computer, and your company safe.



Be Safe

Section Guide


View more articles from Stephen

Infosec IQ awareness and training empowers your employees with the knowledge and skills to stay cybersecure at work and at home. Teach employees to outsmart cyberthreats with over 2,000 awareness resources and phishing simulations.

Section Guide


View more articles from Stephen