Episode 512 OOPSpam 2024 Spam Report With Onar Alili

---

Show Summary

The SDM Show podcast features Rob Cairns interviewing Onar Alili from OOPSpam about their 2024 spam report. The report analyzes 20 million spam samples, revealing SEO, political, and financial spam as top categories, with a significant portion targeting WordPress websites. They explored the rise of sophisticated spam tactics including the exploitation of AI, IoT devices, and crypto scams. They discussed the importance of multi-layered security solutions for websites, especially for small businesses often targeted due to lax security practices. OOPSpam utilizes data analysis and models, plus IP and email lists, to identify and filter spam, offering geo-restrictions and unlimited website plans. They also touched on emerging AI-driven threats such as voice scams, which is a growing and scary trend.

Show Transcript

Hey everybody, Rob Cairns here and today I’m here with my good friend Onar from OopSpam. How are you today my friend?

Good Rob. How are you?

It’s good to have you back and uh today I thought we’d dive into this 2024 annual spam report that your company puts out. I don’t think I’ve seen one out there as detailed as this. Most people usually put them out about year in review viruses, domains, CMS’s, but you guys being a spam company have focused on spam. Um, how long did this report take your team to put together? Oh, first thanks for having me. And so we we picked um 20 million samples, random samples. And then we try to look through them. We try to make sure that they’re randomized and so it’s a fair distribution across different tools and stuff. Then we look into it, see what we can extract, what kind of information, valuable information we can extract that will be valuable for people. And one of the things, you know, that came out glaring on this report is SEO spam’s number one, right? Political spam was number two. And then the third one was financial spam. But it’s interesting there was no Pharmarmacare spam at the top of the three, which is kind of a bit of a shift, don’t you think?

The pharmacy.

Yeah.

Uh I think uh I think this kind of spams are covered on the health medical and medicine and kind of uh so they are within that category.

Yeah. So and the other thing I would say is you know before we even dive in more is this is one of the things why site owners really got to watch their websites and care about stuff like this because what these spammers are doing is using their website for their benefit to gain traffic to where they need it to be. Right. So

yeah

and I’m sure we’ve seen an increase in pol ical spam with all the political unrest in the US these days as I like to call it. So and and we all know in the political realm if you play the PPC game it’s harder to do ads these days. Facebook has all kinds of convoluted rules around political ads. So does Google both for Canada and US by the way. Um and it becomes a nightmare. So I think political activists are finding uh more and more ways and one of the ways to support a cliff man.

Yeah, that’s very true. And that was surprising to me too because sometimes uh well in traditional sense we always imagine spam as something like you try to sell or do um attempts to link or fishing attack. But in this uh political spam uh I notice I noticed that they are they don’t have necessarily goal to sell anything but they are more spread the information like if they have a certain goal that say they want to let you know about certain things Trump did it or Biden did it for example from USA and they will just pass it as information so there’s no link there’s no selling it’s just plain information passed in a contact form or the review systems or a comment so it was kind of interesting to see this kind of different kind of spam that’s uh if you are for example rely on oh if if there’s a link in my review then I will think it’s a spam but it’s not like that anyway it’s basically pure information and yeah

yeah and then the other thing that came really glaring in this report which didn’t again didn’t surprise me I think you and I were talking before we went there and I said as somebody who knows the space really well none of these numbers kind of shocked me if you know what I mean and I’ve read it a couple times

69% of all spam targets WordPress websites well it’s about right Because to be fair, WordPress occupies right now as of this record about 43 to 44% of the market. So if I’m a spammer or or a hacker or a security looking for vulnerability, I’m going to target what occupies most of the market and that’s WordPress. So that kind of goes hand in hand, wouldn’t you say?

Yeah, totally agree. That’s what that’s why we mentioned in the report that uh we I mean It’s it comes from their popularity and same goes with the forms goes to forum builders. We have a bunch of forum builders they attacked but not because they are like vulnerable but because they are more popular.

Y

so yeah so yeah it’s the same thing

and I think

I notic ahead keep going.

Uh so for example u like as we know I think I saw someone recently write wrote article about um comparison between um data between WordPress usage and elementary users and how many of the elementary us uh WordPress users are elementary users too and so I know for example it’s also reflected in our reports that many of the contact form third most spammed uh form builder is elementary forum uh that’s because it’s just simply more popular not because of more vulnerable

y and the other thing I would suggest is is

you go to the contact form and that’s where I was going to go. The number one is contact form 7 and one of the reasons I believe for that is first of all it’s free right so a lot of people use it as a de facto if you go to the WordPress repository it’s the mo one of the most top five most installed um contact forms and to be fair and I’m going to be really hard on contact form 7 they’ve had more security vulnerabilities in the last two years than any other contact form out there Right. So it all kinds of lines up hand in hand. Wouldn’t you agree at that point?

True. Yeah. Um contact uh 7 is I would say one of the most popular right plugins.

Yeah.

And it is uh much simpler. Uh I don’t know how much they like you mentioned that they get uh and they have a lot of vulnerabilities and I don’t know much about their what’s going on how much vulnerability they get every year. But I know that the popularity and they’re much more simpler, beginner friendly. I would say maybe that’s why people use it most and uh and that’s why they get spam more too.

Yeah, I know. I’m generally fortunately the contact form I use is not on the list by the way.

I’m um a WS forms user which is Mark Wgard’s product and Mark is a is is a friend. So, disclaimer.

Oh, yeah. I know Mark. He’s a great guy.

Yeah. And he’s been on the show numerous times and he actually takes stuff like that pretty seriously. One of the things I would say to any listener and I don’t care what form product you’re using and using your guys product as well. The other thing I would implement honestly on a contact form is cloud for turnstyle. Like without even thinking about it, it’s free. If your form product doesn’t support cloud for turnstyle, well, when find another form product because that alone will cut your form spam down. I have political sites and I I was talking to you about that for the show and one of them we instituted Cloudfire turn style and they went from couple thousand spam contact form a week to one. So like anybody who’s not educated should go educate because Cloudflare doesn’t charge for that service. So get on that. Do you think things like Cloud for turn style are better to protect form spam than the old captures or do you have any feeling around that?

Um I think there’s a few factors. Uh but style is it’s great. I like turn style in terms of it’s more accessible compared to capture and I guess recapture has invisible mode which also accessible. So turn style and similar capture solutions they are great for automated boats.

Yep.

And and turn style has bigger I guess bigger networks and compared to capture and I think uh so I think they use a IP replication too which is capture. Yeah. So I recapture doesn’t use it they just track users behavior and based on that determines if it’s both or not. Uh so yeah we uh we we recommend this uh our customer customers to use turn style when they’re needed because our solution uh oop spam is basically more both plus both aent boats and manual spam and more abuse if you are targeted and stuff but turn start is great works work great for automated boats you know dump boats uh like boots goes to your website just try to fill your form and submit it works great for this kind of um tax What you’re saying is what we really need is a multi-layered solution, right, to protect spam properly. Like it’s not a it’s not a drop in one thing and that fixes all. You need the layers to help you out here.

Yeah. I I seen like cases where uh especially with the WooCommerce uh they get different kind of spam and abuse and I seen like okay someone reach out to us they say hey we installed we have word uh word fans we have turn style and just nothing stopping this and stuff. Then we look uh I look at the data and usually they really people wants to they they give us temporary passport username so we can have a close look and really appreciate when customer do that because we actually we can look at the data in real time to see what’s going on and then we see that okay this uh IPs are never being used for spam ever it’s from from places like this ocean where it’s much better reputation. They they have better reputation and they use good IPS but they still like able to get around it and it uses clean IPs and they run uh sophisticated usually they uses like vulnerability or some kind of I would say vulnerability by design it’s not necessarily vulnerability but you don’t expect for example someone use REST API to submit uh like you no one use a rest API to purchase something right it’s more too technical

so but they do that uh and that’s why turnar here there’s no interface turnstar can scan it can look there’s no way to for it to do it so that’s where we come in and we look at the data then plugged into that hook and try to minimize that damage

yeah and then I thought we jump on into origin countries. So, this one surprised me a little bit. I would have thought Russia’s numbers would have been higher and you know when we when we look at this report like really the US and China are accounting for about call it 58% that’s like a majority of it and then it’s kind of like everybody else and just knowing I’m I’m surprised Russia’s numbers change higher knowing what comes out of Russia knowing there’s a lot of insecure servers in Russia knowing the make out of the land. Um it’s interesting that’s not higher because in the hacking world a lot of hack attempts came out of Russia. So it’s just but the spam isn’t. So it’s just a little fascinating when you ask

I think there are also strange that they they know that too people in Russia.

So what they do they start using like American companies data centers companies And uh VPS are so cheap now. You can buy it for $2. And in some of them in Europe, you can buy it for uh one f something like that. Very cheap. You can buy VPS servers and you can so they for reason they know that people trust and usually like you mentioned style or cloud flare in general. So people what people do people just block entire Russia they block entire China and but they let you United States the USA IP is open. So people there knows that too. So they go create data send go to data sended by VPS and the spam forms there. That’s that’s what I think what’s going on. I believe

I do too. Um let’s go to on the most spam forms. I’m kind of breaking this down if it’s okay because it’s really fascinating and people you know you you and I live in this world but a lot of people and especially business owners don’t. So

45% of people that sign up or spam is caused by sign up. That doesn’t surprise me. 35% is a contact form. Yes, I get way too much contact form spam. And then e-commerce and reviews are kind of after that. None of those numbers surprise me. And I think what this is pointing at is guys, you got to lock down your sign up on contact forms, right? Like

Yeah. Yeah. Certainly. I sign up uh sign up also very easy to spam. It’s basically It’s different kind of tag from contact forum.

Y

uh it’s a general categories but signup form is basic because you’re usually just one uh field uh two field like email password and maybe confirm your password uh if company doesn’t want to collect more they ask your name and stuff but uh sign up form yeah it just us fill lots of they create lots of Gmail like most of maybe we should have mentioned that too but like Gmail accounts are most used in spam and they just and there’s no validation. There’s no way with Google to check if this Gmail account no reliable way I should say that this Gmail account exists for example. So there’s no way for you when you sign someone sign up you can check oh is this uh Gmail account exist or not. Of course you can do double optin and options like that confirm your email and stuff. This usually helps But uh problem is that people who spam or boats who spam they don’t really care about your confirm your email part. What they do is they just register on your sign up form registration form and your system sends them email.

Yeah.

Or sends the email. So that’s what they care. They want to fill someone’s inbox or they want to damage your email provider reputation email deliverability service reputation. and stuff.

Oh yeah.

And that’s the biggest thing like you know and then you go on and you and this is something really that business owners should really pay attention to and I hear it all the time. I have a small website. I run a small store. Why should I care about security and spam? Who cares? Nobody’s going to attack me. And my argument would be as a security guy, yes, they’re going to attack you because most spammers and hackers know that small websites tend not to do the things they’re supposed to do. So that makes them more of a target and they say, “Well, what’s it going to do if I’m attacked?” Well, you guys do a really good job in your report of outlining that. And it starts with uh damaged domain reputation, check. Customer distrust, check. Operation strain, overload, slowing down your website, check. And possible financial loss, check. So, where I’m going with this is small business owners, you need to pay attention if to anything in this report, not the percentages, not the numbers, not anything, those four things, and say this is why I need to do something with my website.

Yeah, especially with the e-commerce uh like with contact forum, if you get spam, let’s say, okay, I’m fine with that. I’ll ignore just his emails, right? Maybe you are really patient. person then but when it comes to e-commerce it’s it’s it’s a direct financial damage to your business because and m on multiple front too and when someone like we had a customer u reach out to us hey um uh so they getting like every day they’re getting like maybe 400 fake orders and and they reach out to us hey I have issue and I’m using this solution stuff. So they like they get in. So they had like total 40,000 fake orders and what that means that each time they get fake orders that the fake order be changes the status to failed order because payment couldn’t process. What happens each time they so 40,000 times the email the system send email to these people they all had a high bon because email bounce back there’s the email doesn’t exist and then each time They use their stolen credit cards as boats. And what happens is that you send requests to your credit card processor and they they receive 40,000 from your account. Then they say, “Okay, maybe we should shut down or shadow bind your account and or you can your business consider high risk all of a sudden and and you can’t sell anymore basically and you have to look for other providers.”

Yeah. Yeah. I agree. And just without getting into the rest and we’re going to put a link to report in the show notes because I think Everybody needs to go read it. Um, looking forward, looking ahead, not looking forward to 2025 and we’re already there at the time of this recording. The first thing you talk about is AI is going to is being increased uh the usage. What a shock. Not if anybody’s listened to this show, I’ve been touting for a long time AI is one of the best benefits to business, but it’s also giving the hackers, the spammers, and all the nefarious people a real edge in attacking others, right? So, it’s becoming

a bit of a problem. And uh you mentioned fish AIdriven fishing emails. Well, I’m going to tell you

the biggest thing and Tim Nash and I, if you know Tim, Tim’s a regular contributor to the show and we’ve talked about numerous times that in fishing emails, the language is actually really good right now. Graphics is really good and you can thank AI for that cuz All these people are doing is taking their emails and instead of the crappy English we’ve all seen, they’re dumping them in AI and it’s fixing all the spelling and here you go. Right.

So, it’s a problem right now.

It is uh is I mean it’s already problem and it’s going to become more and more problem and at started like more advanced and I seen like this is not a spam in general abuse. Uh we seen like uh boys um spam voice abuse where they call for example vulnerable group of people in communities and they with their like family members voices and stuff and and they try to get them give them money or they impersonate some government officials. I know personally someone who grandparents were attacked like that and a lots of money were taken from their uh retirement account and this is all used AI and that’s and they disappear very quickly too because all digital and they just move on to the next target.

So it’s very so it’s very important to and I think FBI recently published new guidelines that you should have a secret um password what they call with your uh with your family so when calls you

you know I’ve been doubting that for over 20 years now. Um

yeah

I you I did um in a time in my career I did a lot of education in schools and then in teaching kids and parents how to be safe online and I’ve been touting for a long time that a family needs to come up with a phrase or a password before anything. So that’s um it’s just that the tools because of AI getting easier for the spammers but the the scams have been out there for a long long time so so to speak

right yeah they definitely do get in a more soft it and even like what we see in the data and text based spam uh they are much more better they’re written better and it’s hard to know so what we do is that we try to like train another model basically fight AI with AI so we train another model based on the what we see spam and try to combat that and also IP and email reputation help but IP is so not reliable in terms of spam So many people use VPN just for uh I mean I’ve seen so many I’ve seen so many people who go to website and it’s stuck on a capture keep turning and turning they don’t let them in and they have no way to go into the website to read it and or even let the website owner know that hey I cannot access your website unless that person goes to Facebook finds that person or LinkedIn or among alternative channels. So it’s very important to think that when you implement any spam or any solutions that you are not going to limit uh VPN users and stuff. So that’s why IPs are not that reliable

and emails are like emails anyone can generate emails and is so easy to generate

right so true and then the second thing you talk about it’s exploitation of IoT devices and I kind of want to talk about that because IoT devices are inert inherently insecure to start with. I mean I don’t know an IoT manufacturer that updates their devices. So on a regular basis from a security perspective. So we’re talking everything from the Amazon ELA. I won’t say the word I’ll set them off again to the Google minis to the Ring doorbells to you name it. I don’t know any where this security is being updated on a regular basis and that alone makes them a target for everything under the sun. So one of the one of the recommendations I’ve actually made is if your router supports a separate subnet, your IoT devices should go on a separate subnet, not your main network at home. What do you what do you think about IoT devices?

Yep. Uh in I think it was uh 201 18 I was were working on IoT devices when I was doing my masters. So we so we were building IoT devices and so it was we reading a lot and we had different companies we worked with and different device companies who developed different chips for um hardware for the IoT devices and they had uh like almost none of them had any authentication and and even they had authentication it was very insecure authentication simply because by design they are so small they’re limited uh memory in it and they cannot run sophisticated authentication or encryption uh in it and I don’t know how the how it’s changed now but uh but they are in general as you mentioned they are by design of like vulnerable and uh that’s one of the one of the reports I mentioned it how USA is number one where spans come from the devices I devices are vulnerable. Many like countries have right from China and China is attack hackers. They go to the devices they they just infect the devices and you never know because everything works. So you never suspect anything is but all comes from your network and all a sudden your IP get blocked and you wonder why I cannot enter this website or I cannot commit this uh contact form or submit this.

It’s true and and people don’t realize um and that’s what happens. And then the third one and we’re and there’s a couple others but we’re going to stop. But third one is crypto scam and is crypto uh spam. And what I’ll say is crypto scams are growing everywhere. I mean the spam is on forums, it’s on social media, it’s absolutely everywhere. And it and I take a different view with crypto and it’s folks crypto is an unregulated currency. and the word unregulated and I know in Ontario I have a good friend who’s a director of public relations for the Ontario Securities Commission. So they’re the ones who look after investment companies and stuff like that. And in this province, we’ve actually implemented laws to curtail some of the crypto thing as I call it. But I would be really really careful with something that’s not regulated. It’s like play at your own risk and

Yeah.

And If we started being careful, we would shut this down like left, right, and center. What do you think about crypto and crypto scams and spams?

But you say uh crypto in spam uh they are mostly most if not all of them are basically trying to help you to recover your stolen cryptocurrency wallet. So basically lots of people now get messages, hey if you lost your wallet, we can help to recover it. Um, I’m assuming they have their own gold to steal your wallet.

10 a day and I don’t have a wallet. So, there you go.

Yeah, that’s safest. If you don’t have it, you are safe.

That is true.

Um, so we’ve talked a little bit about the report. Uh, how does Spy help mitigate what’s in Smith?

But like is Allah uh data analysis and we have like as I mentioned we have our own model. Basically we have uh and this been around before all the AI hype and we had since 2017 we had our own model and we keep adding data on it and improving it based on the content uh spam content and we also have large subset of IPs and emails and all different categories. So you know you have contact forum and woo commerce are different for example they get different targeted spam so we use different list of block IPs for them and stuff so it’s all uh content IP and email and we also let people like filter their geo restrict their

so we don’t so there is like restricting your entire website so no one can enter from and we only lets them restrict can just see and all the all the information what we do and how we do it.

Yeah. And the best place to get a hold of you I take it is on LinkedIn these days. Is that

Yes. I think LinkedIn is the best just search on Ali and there.

Yeah.

Onar, thanks for coming on and talking about the report. I wish you spam a great 2025 and as always we hope to have you back. soon to talk more about the world of fam. Have a great day, my friend.

Thanks so much. Yeah, thanks so much Rob having me and I really appreciate talking to you and it was fun.

Thank you. Bye-bye.