How I Combat Malicious Spam for My Website
Dealing with spam is challenging, but it is possible to lower it and reduce its effects.
This reference story was originally published at digitalmehmet.com.
At the end of June 2024, when I also lost two close relatives when the family was in a grief process, my publications hit rock bottom on this platform. It felt like everything was crumbling from all angles. One weekend at the end of June, utterly exhausted from the relentless flood of thousands of emails and Slack messages, writers were frustrated by their stories being delayed for over 20 days, and others were anxiously waiting for their boost.
Spam accounts cloning my profile were destroying my reputation on this platform, and spam on my own website was delaying my work. I knew I needed to do something about both. The first one was Mediumās responsibility, and the second one was mine. Spam might sound trivial but in reality it can be very stressful and might lead to burn out if it is not handed well and timely. My website got thousands of spam emails preventing the essential work for writer registrations.
In that moment of chaos, I decided to meditate. It was during this long, introspective session that my higher self whispered the most obvious solution: reach out to my collaborators like
, , , , , , , and more to support me. These people gave me breathing space and allowed me to deal with the spam issues timely.In this story, I will share a short case study illustrating my approach to handling spam, using a sample phishing email as an example. My goal is to educate you with an actionable plan explained in simple terms that anyone can understand.
Case Study: Analyzing a PhishingĀ Email
Here is a screen capture of what spam looks like on my website, which is open to the public. It is from the writer registration portal via a form usually referred by Medium and other writing platforms where I notified it. Until I started my publications on Medium, my website never got any spam. But this year the amount was over 5000%.
I used my subscription-based spam handling software, which analyzed thousands of emails and created a report with the information I summarized below on how the tool classifies spam emails using these two entries I provided in the screen capture.
āFirst Nameā Placeholder: The generic placeholder suggests that the email was part of a bulk phishing attempt, where the attacker did not personalize the content for each recipient.
āšTicket: SENDING 1,0068 BTCā: The mention of Bitcoin (BTC) is a common tactic in phishing scams, often used to lure victims with the promise of cryptocurrency transfers. The unusual formatting of the number (1,0068 BTC) could be an error or a deliberate tactic to bypass filters.
Suspicious Link: The link provided (https://out.carrotquest.io/...) is masked and obfuscated, making it difficult to discern its true destinationāāāa clear red flag. So it is a good idea to hover on the link and get a feeling.
Email Address: The senderās email (hatty2001@murahpanel.com) comes from an unfamiliar domain, likely unassociated with any legitimate service.
IP Address (104.244.79.50): This IP address, often linked to spam or malicious activities, warrants further investigation.
Potential Threats
The software identified threats informing me under multiple categories, but these three were critical to me. I will cover them in another article.
Phishing: The email likely aims to trick you into clicking the link, potentially leading to a fake login page designed to steal your credentials or triggering an automatic download of malicious software. Additionally, the links associated with them are often very close to the real ones. An example of a legitimate link (not a real one): myaccount.google.com another example phishing link: myaccount.googlle.com / myaccount.gooogle.com, etc
Malware: The link could direct you to a site that installs malware or ransomware on your device. Please never click on them.
Scam: The mention of Bitcoin may be a ploy to exploit those interested in cryptocurrency, promising something valuable in exchange for sensitive information or payments. They invite the user to plug in their cold wallet and type in their seed phrase. Once done, the battle is lost (as are the funds).
Protective Actions
The tool listed immediate steps to lower spam and its impact. It said this thorough approach would help me mitigate the risk and protect my website from further attacks.
Do Not Click the Link: Hover the links but avoid interacting with the link or any attachments in the email.
Mark as Spam: Report the email as spam/phishing in your email client.
Block the Sender: Block the email address to prevent further messages from this source.
Check for Vulnerabilities: First thing to do is to check for the (most of the time) green lock inside the URL bar. Thatās the sign the website uses an encrypted (https/ssl) connection, with a valid certificate. Ensure your website is secure, with no unauthorized changes. Use a security plugin or service to scan your site.
Update All Software: Keep your websiteās software, plugins, and themes up to date to prevent exploitation of known vulnerabilities. Same goes with CMS. Themes, plugins, etc.. must be up-to-date. Same for technical stacks and libs, windows, mac updates, as some zero-day vulnerabilities are often found.
Enable Two-Factor Authentication (2FA): Use 2FA for all admin accounts to protect against unauthorized access. Choose 2FA with authenticator app over 2FA with SMS, as they can be intercepted.
Report the IP Address: Report the suspicious IP address to a cybersecurity service or your hosting provider for further action.
Contact Law Enforcement: If you believe you are being targeted, report the incident to local law enforcement or a cybercrime agency, providing all relevant details.
Inform Your Hosting Provider: Notify your hosting provider about the incident so they can help secure your website and investigate any potential breaches.
Verify the IP Address: Use tools like ipinfo.io or abuseipdb.com to check the reputation and details of the IP address.
Review the filtered emails to ensure no sensitive information is compromised.
Secure your website by updating software, scanning for malware, and enabling 2FA.
Educate yourself and your team on recognizing and responding to phishing attempts to prevent future incidents.
Understanding Tor Exit Nodes: What is a Tor ExitĀ Node?
The IP address I searched was associated with a Tor exit node. Hereās what that means and what you can do about it:
Tor Network: Tor (The Onion Router) is a privacy-focused network that routes internet traffic through multiple servers (or nodes) to anonymize the userās identity and location.
Exit Node: The exit node is the final node in the Tor network through which the userās traffic exits before reaching its destination. This is the IP address that websites and services see as the source of the traffic.
What are the implications of Tor Exit Nodes?
Users who use the Tor network often seek to anonymize their online activity, including both legitimate uses (e.g., privacy protection, circumventing censorship) and potentially malicious activities (e.g., hiding the origin of an attack).
The message clarifies that neither the owner of the exit node nor the service provider is responsible for any actions taken by users of the Tor network. This means that if you see suspicious activity from a Tor exit node, the person controlling the node is not responsible for that activity.
What Can You Do About It?
Monitor for Suspicious Activity: Log any repeated or suspicious activities originating from this or similar IP addresses and analyze patterns for targeted attacks.
Block or Allow Access: Depending on your websiteās mission, you can block traffic from known Tor exit nodes or allow access while monitoring closely.
Report and Investigate: Report suspicious activity to law enforcement or consult with a cybersecurity expert for appropriate defenses and response strategies.
Addressing Spoofing orĀ Misuse
It was possible that attackers were using my websiteās name or URL in phishing emails to add credibility to their scam. This is known as spoofing, where legitimate sites or brands are mimicked to deceive recipients.
What are the tips to protect our website and users?
To protect your website and users, start by running a comprehensive security scan, ensuring everything is up to date, and regularly reviewing logs for unusual activity. Investigate how your URL is being used by checking referral logs and contact forms for misuse. If you suspect spoofing, contact your hosting provider immediately and consider implementing DMARC to safeguard your domain from fraudulent activities.
How Do I Use My Hosting Service Provider, WordPress.com to Increase Security, Lower Spam, and Reduce the Risks ofĀ Scams
WordPress.com offers a variety of tools and resources designed to protect your website from spam, spoofing, phishing, and other malicious activities. Hereās a detailed overview of what WordPress.com provides to help secure your site:
Spam Protection: Akismet Anti-Spam
Akismet is a powerful anti-spam plugin built into WordPress.com that automatically filters out spam comments on your posts and pages. Akismet checks comments and contact form submissions against its global database of known spam, preventing malicious content from being published on your site. Akismet is automatically enabled on all WordPress.com websites. You can adjust its settings or review filtered comments through the WordPress dashboard under āPluginsā > āAkismet Anti-Spam.ā
Security Features: Jetpack Security
Jetpack is a comprehensive security plugin available on WordPress.com that offers a suite of tools, including malware scanning, brute-force attack protection, and downtime monitoring. Jetpack is included in WordPress.com plans. Jetpack regularly scans your site for malware and notifies you of any detected issues. The Brute Force Attack Protection feature blocks suspicious login attempts to prevent unauthorized access to your site. Jetpack alerts you if your site goes offline, allowing you to respond quickly. You can activate and configure it through the dashboard under āJetpackā > āSettings.ā
HTTPS/SSL Encryption: Free SSL Certificate
WordPress.com provides a free SSL certificate for all sites, ensuring that data transmitted between your site and its visitors is encrypted. SSL encryption protects your site from man-in-the-middle attacks and assures visitors that their connection is secure. SSL is automatically enabled for all WordPress.com sites, indicated by the āhttps://ā in your siteās URL.
Domain Protection: DMARC, DKIM, and SPF
WordPress.com supports the setup of email authentication protocols like DMARC, DKIM, and SPF. These protocols help prevent email spoofing by verifying the authenticity of the senderās domain. If you are using a custom domain, you can configure these settings through your domain registrar. WordPress.com provides detailed guidance in its support documentation.
Phishing and Malware Protection: Automatic Updates
WordPress.com automatically handles all updates to your siteās core software, themes, and plugins, ensuring you always have the latest security patches. Updates are applied automatically, but you can check for the latest version via the dashboard under āUpdates.ā
User Management: Two-Factor Authentication (2FA)
WordPress.com supports two-factor authentication (2FA), adding an extra layer of security to your login process by requiring a second form of identification in addition to your password. Enable 2FA through your account settings on WordPress.com by navigating to āAccount Settingsā > āSecurityā > āTwo-Step Authentication.ā
Reporting and Mitigating Issues: Support and Reporting Tools
WordPress.com offers several support options, including live chat, email support, and extensive documentation, to help you manage security issues. If you suspect that your site has been targeted by phishing or other malicious activities, you can report it to WordPress.comās support team for assistance. Access support through the WordPress.com dashboard by clicking āHelpā or visiting the WordPress.com Support page.
Resources, Documentation, and Education
WordPress.com provides a comprehensive security guide that covers best practices for securing your site. Access the guide through the WordPress.com Security Documentation. The WordPress.com blog and forums are valuable resources where you can learn about the latest security trends, plugin recommendations, and best practices. Regularly check the WordPress.com blog and participate in community forums to stay informed about new security threats and solutions.
Key Takeaways and Action Steps for WebsiteĀ Owners
Enable Akismet and Jetpack for spam and security protection.
Verify that your site uses HTTPS/SSL for secure connections.
Consider setting up DMARC, DKIM, and SPF for domain protection.
Enable Two-Factor Authentication on your account.
Regularly monitor your site using Jetpackās tools and your own vigilance.
Educate yourself on the latest security practices through WordPress.comās resources.
Report any suspicious activity to WordPress.com support immediately.
By leveraging these tools and resources, you can significantly enhance your websiteās security and protect it from potential threats.
How to Obtain Evidence for Reporting and Law Enforcement
In the above two examples, here is the first spam email findings
Here are the second spam email findings with a different IP.
Detailed Geographic Information with Coordinates
Sample IP AbuseĀ Reports
Here is the Whois IPĀ Report
ClearnTech Report
https://s1.cleantalk.org/blacklists/192.42.116.211
Conclusions: Protecting Your Websiteās Reputation
Your websiteās reputation is crucial, and attackers leveraging your domain for phishing can damage your credibility and harm your users. By taking these steps, you can better protect your site and maintain trust with your audience.
When you suspect that your website or email account has been targeted by malicious actors, gathering evidence is crucial for reporting the incident and seeking assistance from law enforcement or cybersecurity professionals. Hereās how you can systematically collect the necessary information:
The first step in gathering evidence is to analyze the full email headers of any suspicious emails. Email headers contain critical information such as the senderās IP address, the servers the email passed through, and the actual domain used. This data can help trace the origin of the email.
Most email clients, such as Gmail, Outlook, and Yahoo, allow you to view full email headers. You can also use online tools like MxToolbox to analyze the headers for any discrepancies or red flags.
If you identify an IP address associated with suspicious activity, such as the one from a phishing email or suspicious login attempt, use IP lookup tools to gather more information. Services like ipinfo.io or AbuseIPDB allow you to check the IPās geolocation, reputation, and any reported abuses linked to that address.
If the IP is linked to a Tor exit node, it indicates that the attacker is attempting to anonymize their identity. While this makes tracing more difficult, the IP can still be reported to cybersecurity services for further investigation.
Your websiteās server logs are a valuable source of information, as they record all requests made to your site. By examining these logs, you can identify patterns or anomalies that suggest an attempted breach or abuse.
Access your websiteās cPanel or use log analysis tools provided by your hosting service. You can also use third-party tools like AWStats or Webalizer to analyze these logs for suspicious activity.
If a phishing email contains links, you should analyze these URLs to determine if they lead to malicious sites. Tools like VirusTotal, PhishTank, and Google Safe Browsing can help you check whether a domain is flagged for hosting malware or phishing content.
Conduct a WHOIS search to find out who owns the suspicious domain. Tools like WHOIS.net or ICANN Lookup provide detailed domain registration information, which can be useful for reporting the domain to authorities or identifying patterns across multiple attacks.
Take screenshots of any suspicious emails, URLs, and browser warnings as visual evidence. This is particularly useful for documenting the exact appearance of a phishing attempt or fake website before itās taken down.
Keep a detailed log of the incident, including the time and date of each suspicious activity, the actions you took, and any interactions with your hosting provider or law enforcement. This documentation can support your case when reporting the incident.
Once youāve gathered sufficient evidence, report the incident to your local law enforcement agency, particularly if it involves serious threats like financial fraud or data breaches. You can also report the incident to your national cybersecurity center (e.g., CISA in the US, NCSC in the UK).
Many countries have dedicated platforms for reporting cybercrime. For example, in the United States, you can report to the FBIās Internet Crime Complaint Center (IC3). Additionally, organizations like Europol and Interpol have mechanisms for reporting and investigating cross-border cybercrimes.
By systematically gathering this evidence and involving the appropriate authorities, you can help not only protect yourself but also contribute to broader efforts to combat cybercrime. The more detailed and accurate your evidence, the more likely it is that law enforcement can take meaningful action against the perpetrators.
Key Takeaways for All Stakeholders:
For Website Owners: Regularly update software, use 2FA, and stay vigilant against phishing attempts and other malicious activities.
For Medium Writers: Advocate for platform security improvements while taking personal steps to protect your content and identity.
For Readers and Users: Be cautious of phishing emails, especially those involving cryptocurrency, and report any suspicious activity.
By understanding and implementing these protective measures, we can collectively make the online space safer for everyone.
Thank you for reading my perspectives. I wish you a healthy and happy life.
Join me on Substack, where I offer experience-based content on health, content strategy, and technology topics to inform and inspire my readers.
Health and Wellness by Dr Mehmet Yildiz
Content Strategy, Development, & Marketing Insights
Technology Excellence and Leadership
Get an email whenever Dr Mehmet Yildiz publishes. He is a top writer and editor on Medium. dr-mehmet-yildiz.medium.com
Originally published at digitalmehmet.com.
I remember those days, Dr Yildiz. I am glad you handled it well. Thanks for the kind mention. It was a pleasure for me to help you in your difficult situation. It was so small compared to what you did for me. I am very grateful for your mentorship and ongoing support. I owe my success on Medium and Substack to you.
June 2024 was also an unforgettable month for me as part of your team. We faced massive challenges, but we handled them well as a team under your leadership. I felt awful about the stress you faced from multiple angles. Medium spamming and scamming were notorious. The way you fixed your website issues was exceptional. This is a very good case study anyone can learn from your articulation. I noticed that major spam came from European countries. Ironically those countries are so sensitive on this issue but some of their citizens spam other countries.