5 Ways to Fight Instant Messaging Spam

No matter what the technology, someone is going to try to abuse it to send you messages touting their wares, or trying to convince you to click their links, or to help them move millions of dollars belonging to their deceased client out of the country. I got one just the other day over instant messaging, which prompted this post.

This message is from no one I have ever heard of, uses poor spelling (which may be typical of many IMs,) provides a targeted link (that’s my actual IM screen name I lined out) and promises money. This one message has all the hallmarks of a phishing attack, but since it came across in an instant message rather than an email, it is called SPIM.

IM Spam, sometimes called SPIM, seems to come and go in phases, but can be just as annoying, and as potentially dangerous, as any other kind of Spam. SPIM can manifest itself as messages that pop up just like any other IM from one of your contacts, or it can first appear as a request to add a contact. The ones we want to make sure our users are aware of are the ones that include links, like the one above.

In addition to warning our users about IM spam, there are some proactive measures everyone can take to reduce the amount of IM spam hitting your messaging client.

1. Don’t publish your IM screen name(s) on websites. Use a service like Plugoo if you want to let visitors of your website or blog contact you by IM. It’s like a contact form for instant messaging, and is free.
2. Each of the major instant messaging services offers settings to restrict access to your account. Log on to each service, and configure the privacy settings for your account to be more restrictive. Don’t list yourself in the service’s online directory, and restrict access to other information.
3. If you get a request to add a user to your contact list from someone you don’t recognise, check out their profile before accepting their request to make sure you really know them.
4. If you use Pidgin, my favourite instant messaging client, there is a plugin called BotSentry. When someone who is not on your contact list tries to message you, BotSentry can challenge them with a question that they must answer before their message will get through to you. This can present a barrier to bots, or can also be something only your acquaintances would know if you want to avoid human spammers. You can get the plugin from here http://sourceforge.net/projects/pidgin-bs/, and it is equally effective on all messaging protocols.
5. Corporations should use an internal instant messaging program that secures their internal communications, and a PIC gateway to interface with public services if desired. These gateways can perform anti-x functions as well as protect against information leakage.

Remember, sharing information and raising awareness with your users is one of the best ways to defend your own network against attacks. So share some knowledge with other readers. What are some other ways you prevent IM Spam, or SPIM?