Over the weekend I received my first iMessage spam. Here’s a screenshot of the spam message:
After asking around at Cloudmark, lots of other people also received a similar spam message, so we decided to look in Cloudmark’s Spam Reporting Service (SRS) to see if we could quantify the scope of the attack.
The Spam Reporting Service provides a clearinghouse of reported spam messages for participating mobile operators. In North America, this includes AT&T, Bell Mobility, Sprint, T-Mobile and Verizon Wireless, and other carriers. Outside the US, it includes Telecom Personal, several major carriers in the UK, and other carriers around the world.
While most of the reports we receive today in SRS are for SMS spam messages, it happens to also receive iMessage spam messages, even though iMessage is really an example of over-the-top (OTT) messaging. This mixup isn’t surprising–the two types of messages both appear in the iOS app, and it’s possible to forward an iMessage spam to the 7726 (S-P-A-M) shortcode.
There isn’t any way to specifically categorize reported messages as iMessage vs SMS-delivered, but by analyzing the content and sender of this message along with recent SRS reports, we can come up with an estimate. The following graph counts SRS reports related to this particular spam attack (selling luxury goods) since the beginning of November.
You can see that the attack started around the beginning of November and really took off the weekend of Nov 22-24.
Others have pointed out that iMessage can be easily scripted to send messages to any phone number. Here are some references:
Given the relative ease of sending messages to potentially millions of recipients, Apple will need to take aggressive measures to prevent iMessage spam volumes from increasing further.