Hold the phone: iMessage spam not all it's cracked up to be

Is Apple's iMessage the new favorite tool of spammers worldwide? A widely-quoted recent article written by Wired's Robert McMillan suggests it is, even going so far as to  claim that iMessage "is being taken over by spammers."

Largely based on an interview with security analyst Tom Landesman, McMillan states that, thanks of a few enterprising fraudsters who have figured out a way to take advantage of Apple's networks, iMessage accounts for some 30 percent of all mobile spam, and that the company's efforts at stemming the onslaught of unwanted messages are moving too slowly to catch up with the spammers.

But is the problem really that dire? A closer look at the numbers suggests that the iMessage spampocalypse may be a ways off yet.

A very real problem

Let's start with the bad news: iMessage spam is a real thing. Although I haven't personally fallen victim to it, Macworld editors Dan Frakes and Dan Moren have each seen the emoji-laden marketing pitches, as has Daring Fireball's John Gruber. A quick Twitter search turns up a smattering of other reports, which also appear on a number of Apple-related forums.

This is, sadly, hardly a surprise. Like lighting a fire, spamming requires three ingredients: a network that lends itself to abuse, a large list of users, and low cost--all features that iMessage offers in spades.

Sending automated messages from a Mac without any user intervention is a surprisingly easy operation: all it requires is a single line of AppleScript. There are entirely legitimate uses for this feature; for example, I routinely use iMessage on my iMac to send notifications to my iPhone and iPad when our servers at work go down. It's an inexpensive--and very effective--way of avoiding having to wake up in the morning to an inbox full of complaints from angry customers who couldn't access our services overnight.

In the wrong hands, however, the ability to indiscriminately send virtually unlimited messages can spell disaster, particularly when you couple it with the fact that, unlike traditional SMS messages, iMessage is completely free. One simply has to build a script capable of reading through a list of numbers and email addresses and then blast out messages to them one by one. And Apple makes this extra easy by conveniently disclosing whether a particular number or address is, in fact, capable of receiving iMessages.

Hold the, uh, phone

That's a far cry, however, from claiming that nearly a third of all mobile spam is generated through iMessage.

We reached out to Cloudmark, the company Mr. Landesman works for. Cloudmark's focus is spam research and prevention--particularly in the mobile world, where the company manages the global spam reporting system run by the GSMA, an industry association with deep ties to the mobile market.

In an email conversation via Cloudmark's public relations department, Landesman provided some additional insight into the numbers behind the Wired article.

For starters, the information that Cloudmark provided Wired was specifically limited to the United States for the months of June, July, and August of 2014. This is important, because the U.S. is one of Apple's largest markets; if the numbers were reported on a global scale, it's entirely possible that the percentage of spam attributable to iMessage could change significantly--and, perhaps, be less sensational.

More importantly, the data was, according to Landesman, based not on all spam, but on unwanted messages reported to the GSMA's Spam Reporting Services (SRS for short), a tool that allows users to forward spam to a special short-code phone number. This biases the data in a way that makes it hard to use in determining the seriousness of iMessage's spam problem--after all, there is no way to tell whether iPhone users are more or less likely to report problematic messages than users of other platforms. Considering the fact that study after study have confirmed that those who call Apple's ecosystem home tend to be more engaged with their devices, this is a very real possibility.

Soft numbers are hard to understand

The biggest problem with the numbers in Wired's article, however, is that percentages are relative. Without knowing the figure they're based on, it's impossible to say exactly what scale they represent.

Luckily, Landesman was kind enough to share an order-of-magnitude idea of the volume of spam messages that Cloudmark monitors, explaining that he estimates "that we've seen several million iMessage SMS spam messages a month in the United States."

By comparison, during the company's last annual shareholders meeting, CEO Tim Cook stated that the Apple handles several billion iMessage communications every day--presumably more than the 2 billion per day he reported in 2013. A rough, back-of-the-envelope calculation, then, puts iMessage's monthly traffic at around 100 billion messages.

That means that the worst possible interpretation of Landesman's estimate pins the amount of spam at 1 percent of the overall traffic. That's assuming that "several million messages" translates into "just shy of one billion," however; a more common-sense approach of, say, 10 million spam messages a month would translate into a 0.01 percent spam ratio.

All things considered, then, it's at best premature to claim that iMessage is "being overrun by spammers." While the problem is definitely real, the numbers that would support this kind of statement are simply not there.

In the meantime, if you're concerned about unwanted messages, you can simply limit iMessage to only work with people on your contact list, and report spam directly to Apple.