OAT-017 Spamming

This is an automated threat. To view all automated threats, please see the Automated Threat Category page. The OWASP Automated Threat Handbook - Wed Applications (, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The helps to correctly identify the automated threat.

OWASP Automated Threat (OAT) Identity Number
OAT-017

Threat Event Name
Spamming

Summary Defining Characteristics
Malicious or questionable information addition that appears in public or private content, databases or user messages.

Description
Malicious content can include malware, IFRAME distribution, photographs & videos, advertisements, referrer spam and tracking/surveillance code. The content might be less overtly malicious but be an attempt to cause mischief, undertake search engine optimisation (SEO) or to dilute/hide other posts.

The mass abuse of broken form-to-email and form-to-SMS functions to send messages to unintended recipients is not included in this threat event, or any other in this ontology, since those are considered to be the exploitation of implementation flaws alone.

For multiple use that distorts metrics, see OAT-016 Skewing instead.

Other Names and Examples
Blog spam; Bulletin board spam; Click-bait; Comment spam; Content spam; Content spoofing; Fake news; Form spam; Forum spam; Guestbook spam; Referrer spam; Review spam; SEO spam; Spam crawlers; Spam 2.0; Spambot; Twitter spam; Wiki spam

CAPEC Category / Attack Pattern IDs

 * 210 Abuse of Functionality

CWE Base / Class / Variant IDs

 * 506 Embedded Malicious Code
 * 799 Improper Control of Interaction Frequency
 * 837 Improper Enforcement of a Single, Unique Action

WASC Threat IDs

 * 21 Insufficient Anti-Automation
 * 42 Abuse of Functionality

OWASP Attack Category / Attack IDs

 * Abuse of Functionality