Spim forecasted to be on the rise

Spim - spam over instant messaging - has been forecasted to soon grow to be the next big problem, as reported in an article at Wired.

Many have touted dire warnings for a huge growth in this area for awhile now and we have yet to see the issue. Part of it is that e-mail is a fairly standard way for people to be contacted. In order to sign-up for many things, one must enter their e-mail address. There are many places on the web which have our e-mail addresses and only recently have they started obfuscating them so that bots have a harder timie harvesting them off of the pages.

But instant message accounts are usually only given to friends, and so the access to the account names is harder to come by for the bots. That said, there are plenty of places on the web to harvest the accounts if people have posted them in their profiles on discussion boards, or on their own web pages - but that is still only a fraction of all users.

Not to mention that there are settings in the clients to only accept messages from people you know (that are on your existing buddy list). There are workarounds to that - programs that users download that have trojans in them that broadcast messages as that user to people on their list - but that requires promiscuous net usage (downloading programs that you don't necessarily trust and using them), which not everyone partakes in the same way e-mail is used.

I personally am on a Mac system (OS X 10.3.3) and use iChat. Even people that are on my buddy list and want to message me sometimes have problems (usually if there is a problem, it is because they are on a Windows non AOL client using the AIM protocol - and it is when I am offline, it shows me as online on their system - so their client is doing something incorrectly).

As it is, it will be interesting to watch how this changes over time and what solutions will come to try to remedy any issues that we see. Existing solutions for e-mail and/or blogs (such as SpamAssassin) might not work for IM since the messages are so much shorter and therefore the Bayesian analysis method might not have a large enough corpus on which to train/learn.

One way that potential spimmers can access users is a brute force dictionary attack. They have a bot that generates user names by first taking a list of regular names (Eric, Bob, Sally, Bertha, Mike, etc) and then sending to them, then seeing which ones work and storing them. Then appending on things to the end of them - usually series of numbers. Then eventually it could even just randomly generate strings and append them together.
This is a time intensive task and therefore might not be all that successful relative to the hours it would take to build.
Spammers/spimmers generally have a lot of time/resources on their hands though.

Posted by Eric at March 26, 2004 10:33 AM | TrackBack