June 23 is World Anti-SPAM Day. On this occasion, this post highlights the most important current actualities in the field.

Nowadays, most people are familiar with what SPAM is, and many encounter it regularly in their everyday lives. IT and information security are constantly working to keep up with new trends and attacker tactics. In this context, it is particularly important to focus on raising SPAM awareness to avoid becoming a victim.

What kind of threats does the presence of SPAM pose?

SPAM messages are not just annoying – one of the most common goals of these mails is to deceive users. SPAM emails can contain malicious attachments or links. With a single click, viruses, trojans, or spyware can be introduced into the system, and ransomware can encrypt data on the computer or across the network. As such, it becomes clear that one of today’s most serious threats – ransomware – can also be propagated through SPAM.

A high volume of SPAM emails can also flood inboxes and slow down mail servers, potentially disrupting email communication. This can negatively impact business continuity.

If a company’s system is vulnerable to being exploited for sending SPAM (e.g., due to a poorly secured SMTP server), its domain or IP address can end up on a blacklist, causing outgoing emails to be blocked by other organizations. This poses not only reputational damage but also significant operational and compliance risks.

Another growing threat is attackers bypassing SPAM filters altogether. Relying solely on SPAM filters for protection can be a dangerous misconception. Many attacks begin with threat actors exploiting services like Google Calendar by sending seemingly harmless meeting invitations – especially when the invited attendees appear familiar or legitimate. Embedded in these invitations, as seen in recent examples, are links that lead to Google Forms or Google Drawings. These links often prompt users to click another disguised link, typically presented as a reCaptcha or a support button.

Since these invitations originate from a legitimate Google service, they can bypass traditional SPAM filters. As a result, phishing attacks launched through Google Calendar appear entirely legitimate and are virtually indistinguishable from any other genuine calendar invitation.[1] This is a textbook example of false sense of security.

One increasingly common tactic today is known as “SPAM bombing,” which operates as follows: threat actors flood the target’s inbox with SPAM emails under the guise of various activities, often as part of social engineering campaigns.

This technique, known as “SPAM bombing,” is used to overwhelm the victim’s email inbox and provide cover for more malicious actions. The attacker uses a legitimate mass email campaign tool to inundate the victim with SPAM, then impersonates a “helpful” IT support agent in an attempt to carry out phishing.

This type of attack illustrates both how threat actors misuse legitimate products for malicious purposes and how they continue to innovate within the realm of social engineering.[2]

Consider the following scenario: an attacker obtains someone’s email address – whether personal or work-related – and signs it up for numerous newsletters and mailing lists. This instantly creates noise and chaos in the inbox. From that point on, the victim is left to sift through the clutter, while the “help” conveniently comes from the attacker posing as a trusted source.

Attackers also use email bombing to distract security teams, overload logging systems, conceal malicious emails among benign ones, and even trigger rate-limiting mechanisms in security tools. These tactics can reduce the effectiveness of detection and response systems.

To carry out such attacks, threat actors often use email addresses stolen from compromised systems or purchased on the Darknet. It is worth reflecting on how often we hear news of incidents in which thousands – or even millions – of email addresses have been leaked. Once exposed, these email addresses are very likely to become targets of these types of attacks.

Nowadays, Artificial Intelligence can no longer be left out of the conversation, as it is increasingly being leveraged successfully in this domain as well. A recent article sheds light on this, revealing that cybersecurity researchers have uncovered an AI-powered platform called AkiraBot, which is being used to spam website chats, comment sections, and contact forms in order to promote questionable SEO services such as Akira and ServicewrapGO.

“AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September 2024,” reported SentinelOne researchers Alex Delamotte and Jim Walter in a statement shared with The Hacker News.

The bot specifically targets contact forms and chat widgets on small to medium-sized business websites. It uses OpenAI’s large language models (LLMs) to generate personalized outreach messages that align with the target website’s purpose. What makes this Python-based tool particularly alarming is its capability to craft content sophisticated enough to bypass traditional SPAM filters.

This is a clear example of how attackers are innovating – not only in terms of technology, but also in their use of legitimate tools for malicious purposes. The involvement of generative AI in SPAM campaigns represents a significant evolution in threat actor tactics, further highlighting the need for advanced defenses and continuous awareness.[3]

The list of threats is not exhaustive; however, it highlights just how diverse and multifaceted these risks can be. It clearly demonstrates that relying solely on a SPAM filter is not sufficient for effective protection.

SPAM statistics

In Q1 2025, not only were 92% of all emails classified as SPAM, but 67% of those were categorized as malicious. The United States is the leading source of spam emails, generating 57% of all SPAM sent and receiving 75% of malicious emails.[4]

There are several websites that provide detailed insights into the global volume of circulating emails, the level of involvement by different countries in the distribution of SPAM, and what percentage of emails are considered malicious. Browsing through these statistics is highly recommended, especially for placing the issue into context in awareness materials.

As with any statistics, figures can vary depending on the source. However, the trends are clear and unmistakable. One thing we cannot afford is to ignore them.

How to protect yourself from SPAM as a private individual

Create a minimum of two email accounts. Keep your current email address for regular correspondence with friends, family, and trusted merchants. Create a new, free email account (Gmail or Outlook.com) and use it for less essential stuff, like ads, newsletters, and promotions that you can scroll through when you feel like it (or ignore completely).[5] Or you can create random unique email address to hide your identity when the sent and revived emails land in your primary personal inbox.

Only share your email address on websites or platforms where it is genuinely necessary. It’s also a good practice to use a password manager, as these applications typically store your registration details, including passwords and the associated email address. Take some time – perhaps during a long train trip – to review your stored registrations. If you come across accounts that are no longer needed, visit those websites and delete the registrations.

Doing so helps reduce the risk of your email address ending up on a leaked list – possibly one sold on the Darknet – during a data breach.

Never respond to emails that appear to be SPAM, and do not click the “unsubscribe” link in suspicious emails – this only confirms that your email address is active, making it more valuable to attackers. Avoid opening attachments or clicking links from unknown senders.

Wherever possible, use Multi-Factor Authentication (MFA), and make sure SPAM filtering is enabled in your email account. Many providers have this enabled by default, but it’s still worth verifying.

Periodically, it’s a good idea to check whether your email address has been exposed in a data breach. Publicly available and free tools can help with this – one reliable option is https://haveibeenpwned.com/.

Last but not least, always stay aware and maintain a healthy level of suspicion. Make cautious behavior a routine habit – this way, even if a SPAM message does make it through despite your precautions, you’ll know how to handle it calmly and safely.

How to Protect Your Organization Against SPAM

As an organization, the first step is to assess which legal and regulatory requirements apply regarding SPAM protection. These must be considered from a compliance perspective as well.

Regardless of whether such regulations or standards directly apply, it is strongly recommended to implement SPF, DKIM, and DMARC settings. These email authentication protocols are designed to prevent others from sending fraudulent emails on behalf of your organization. SPF (Sender Policy Framework) authenticates which mail servers are authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) uses a digital signature to validate the integrity of the message and that it hasn’t been altered during transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) sets policies for what should happen if SPF or DKIM checks fail and provides reporting to administrators. The primary goal of these configurations is to prevent SPAM and phishing attacks that impersonate your domain name, ensuring trust in communications coming from your organization.

Use an email security gateway that filters SPAM, viruses, and phishing attempts; runs attachments in a sandbox; and analyzes links using URL rewriting and time-of-click protection.

Increase user awareness – even test employees – to prevent real-life incidents. Raising awareness is relatively the cheapest preventive measure; every reactive incident management process will only be more expensive. It is always useful to use examples to bring the issue closer to the employees during the awareness-raising process.

Establish a secure email architecture, meaning internal SMTP relay should not be freely usable. Implement allowlists, mail filtering, and logging of email traffic.

For SaaS providers, request proper SPAM filtering configurations and ensure that related log files are managed appropriately with alerts in case of incidents.

While not strictly part of SPAM protection, it is also essential to enforce Multi-Factor Authentication (MFA) everywhere and to limit the number of administrators. This is crucial, because if a SPAM message still causes unexpected damage, these limitations will help contain its impact.

Establishing effective vulnerability management is of critical importance, as malicious attachments or code hidden in SPAM messages are less likely to achieve their goal if they cannot exploit known vulnerabilities.

If we are dealing with an email sent by another organization, we can verify its authenticity. It is essential to be familiar with the tools that can be used in such cases. For instance, https://mxtoolbox.com/spf.aspx and https://www.kitterman.com/spf/validate.html help carry out proper SPF, DKIM, and DMARC checks.

Learning how to use these tools is recommended, as they can support both preventive and reactive actions in the future.

Summary

Many people believe that SPAM is an outdated issue and doesn’t require much attention anymore, due to the advancements in antivirus and SPAM filtering solutions. However, this is a flawed mindset, as one thing remains constant everywhere – including in cybersecurity – and that is changing.

Therefore, it is essential to stay updated on the latest trends and build our defense strategies in alignment with the evolving risks. If you need assistance in developing appropriate protection, don’t hesitate to contact our experts!

[1] Resource: https://www.bleepingcomputer.com/news/security/ongoing-phishing-attack-abuses-google-calendar-to-bypass-spam-filters/

[2] Resource: https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-spam-bombing-malicious-motives

[3] Resource: https://thehackernews.com/2025/04/akirabot-targets-420000-sites-with.html

[4] Resource: https://www.helpnetsecurity.com/2025/05/01/cybercriminals-email-attacks/

[5] Resource: https://www.zdnet.com/home-and-office/work-life/drowning-in-spam-stop-giving-out-your-email-address-do-this-instead/