OWASP Automated Threat (OAT– 017) Spamming

Spamming – Malicious or questionable information addition that appears in public or private content, databases or user messages.

What is Spamming?

Malicious content can include malware, IFRAME distribution, photographs and videos, advertisements, referrer spam and tracking/surveillance code. The content might be less overtly malicious but be an attempt to cause mischief, undertake search engine optimization (SEO) or to dilute/hide other posts.

The mass abuse of broken form-to-email and form-to-SMS functions to send messages to unintended recipients is not included in this threat event, or any other in this ontology, since those are considered to be the exploitation of implementation flaws alone.

Spamming is also known by the terms such as blog spam, bulletin board spam, clickbait, comment spam, content spam, content spoofing, fake news, form spam, forum spam, guestbook spam, referrer spam, review spam, spambot and SEO spam.

The Symptoms of Spamming

OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of spamming. These include,

  1. Increase in the rejection rate of user-generated content by moderation processes

  2. A higher rate of complaints from users about spam content

  3. High appearance of typically fraudulent keyword in user-generated content (e.g., celebrity names, insurance, Viagra)

  4. High hyperlink density

  5. Inclusion of hyperlinks to web hosts that redirect, or with low reputation, or that host malicious content directly

  6. Requests from source IP addresses, devices; fingerprints that appear on spam lists

Sectors Targeted by Spamming

Spamming attacks are aimed at a variety of sectors including entertainment, retail and social networking industries.

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, says spamming involves malicious or unwanted information that appears in public or private content, databases or user messages.

OWASP, says data commonly misused in spamming attacks includes authentication credentials, payment cardholder data and other financial data, medical data and other personal data, intellectual property and other business data and public information.

Ways to Prevent Spamming Security Threat

OWASP suggests several possible countermeasures for organizations to address the threat of spamming. These include,

  1. Consider randomizing the content and URLs of content, linking these changes to an individual user’s session, verifying the changes at each request, and restricting any identified automated usage.

  2. Defining test cases for spamming that confirm an application will detect or prevent the users attempting to spam the content/data.

  3. Identify and restrict access from IP addresses known to be vulnerability scanners, web crawlers or cloud providers engaged in spamming websites.

  4. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

These are the primary security checks against spamming attacks, but few dedicated fraudsters will go beyond the lengths to straighten their spamming effort often operating through privacy browsers, VPN, proxy servers to blur their online identity. Above mentioned are the few security measures that help fight back against malicious users such as spamming, without causing harm to your legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents spamming attempts and even other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots. Bot mitigation solution can block all automated ways to expedite actions on websites by bots.

These security measures help you build a greater defense against spamming frauds targeting your public or private content, databases or user messages.