Is it Spam?

Spam: The Security Threat You Easily Forget

About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...)

Yes, I said spam.

Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave?


My thinking has not changed a full year later.

Spam is a criminal infrastructure enabler

Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web Reputation Center for September 2017 was 367 billion. To date in October, volume is up fifteen percent. Due to the near ubiquitous adoption of reputation block lists, you see very few of these. Be thankful that most spam is not delivered, because spam is the preferred delivery infrastructure for phishing, ransomware or malware, and many other threats.

Spam is also more pervasive today than ever, affecting not only your email experience but texting and social media as well. Social spam infrastructures are now allegedly used to influence or control political expression.

You've perhaps been lulled into complacency about spam because you don't see it. The ubiquity of reputation block lists is the reason average every user isn't inundated with spam, and the reason why security professionals don't spend all of their waking hours remediating infected devices of co-workers, friends or family.

The Strategic Asset Value of Spam Networks

Today, spam infrastructures are as important a weapon in the cyber attacker arsenal as nuclear submarines are to warfare. Spam infrastructures have similar operational properties to submarine fleets:

Operational stealth is "the ability to operate in a medium generally unfavourable to counter-detecting sensors". Spam networks operate below the "sea surface" as a highly geographically distributed armada of compromised devices and servers that can be engaged in cyber attacks through a command infrastructure.  A spam network is also like a submarine force in the respect that it can operate in a location- and numbers-independent fashion: the bots that use fast flux techniques to provide the underlay network for a spam infrastructure such as Avalanche exhibit this uncertainty of presence.  

Operational Survivability is the ability to operate in hostile environments. Infected devices (bots) that support spam infrastructures operate malware that may defeat, modify or remove security measures and dismantle communications between the bots and their "Force Commander" (in bot-speak, command-control or C2).

Operational Endurance is the ability to sustain operations for long periods of time without support. Spam infrastructures employ domain generation algorithms, fast flux, and persistent bot recruitment to sustain availability. They also typically infect devices on a scale that requires global or multi-jurisdictional cooperation to contain or dismantle. 


The most frightening strategic asset value of a submarine is its ability to bring considerable lethal force to bear on targets. Increasingly, cyber attackers are employing spam infrastructures to deliver ransomware or to censor or influence political expression.  These, too, are "lethal", in the context of being extremely dangerous attacks, capable of causing serious harm or damage.

Spam is no longer unsolicited communications or content. It is a prolific threat that we must monitor, report, and learn to better mitigate.  I'm cautiously optimistic that projects like our Domain Abuse Activity Reporting at ICANN will help diverse communities to understand and respond to defang spam. 

Is it Spam (Scam)? IRS Tax Scams Are Year-round Threats

What once was a seasonal phishing or phone call scam is now a year-round threat. Criminals are not only more aggressive with tax scam email or phone calls than ever, but they’ve contrived scams that claim victims before, during, and after what we traditionally consider tax preparation time in the US.

What is IRS Tax Scam?

IRS Tax Scam calls are impersonation scams that lure a target into speaking with a scammer who impersonates an IRS agent. The scammer often threatens a tax filer with legal action, arrest, deportation, or seizure of assets for delinquent taxes or fines.

Two forms of IRS tax scam phone calls dominate, and both use phone numbers assigned from Internet telephony servers. Robocalls are automated voice calls that leave you a voicemail message with a callback number or induce you to speak to an IRS agent. Boiler room calls are live callers (and you often hear other “agents” fielding calls in the background). Boiler room calls are usually aggressive and the caller will try to keep you on the phone. The goal of both forms is the same: the scammers try to convince you to pay a fine (IR-2016-14, Feb. 2, 2016) but they may try to obtain your personal information and identity, too. In credit card form of payment scams, the scammer may be actively purchasing products online using your credit card.

If you should receive a call that claims to be from the IRS, keep in mind that

  • Legitimate IRS agents will not demand immediate payments or insist that you pay by a certain payment method.
  • Legitimate IRS agents won’t threaten you or verbally abuse you.

Impersonation scams use all forms of correspondence that the IRS uses, so your best security “posture” is to control the conversation: call the 800-829-1040 hotline.You can check to determine whether correspondence you received was legitimately from the IRS.

If you receive a suspicious call:

  • If you have caller ID, save the number.
  • If you receive a robocall, save the callback number if given.
  • If you receive a boiler room call, don’t panic and do not disclose any information. Instead, ask the caller for a Federal badge number and a call back number.
  • End the phone call.
  • Call the IRS at 800-829-1040 and ask for assistance regarding an IRS tax scam, or
  • Report to the IRS via email to with Subject: IRS Phone Scam. Include the caller ID and any callback number you are provided. If you can, provide a description of the conversation. Focus on the aspects of the call that are relevant to the scam.
  • If you believe you’ve been a victim and have disclosed personal identity information, visit to complete forms appropriate to the type of scam you are reporting, including Form 14039Identify Theft Affidavit or contact the IRS for help at 800-908-4490. You should definitely report the incident to the Treasury Inspector General for Tax Administration (use the IRS Impersonation Scam Reporting page) as well.

Tax scammers use email, fax, phone or even the postal service, and the IRS Report Phishing page explains how to report scams for all these attack vectors.

Consider blocking the calling number to avoid receiving future calls from this number. The FTC’s Blocking Unwanted Calls describes several ways to block calls.

You can also visit or Call Control without fee or account to report a spam call or to check whether a phone number is listed as abusive. TrueCNAM (login required) or NoMoRobo offer blocking services for fee.

Sample report of extortion telephone number

IRS Tax Scams may become as ubiquitous and nuisance-full as the 419/Nigerian Advance fee scam. Your best defense against scams of these kinds?

Know the scam.
Recognize the scam.
Don’t provide any information.

Report the scam to help prevent others from falling victim.