can canned spam spam?

Like life, everything in the IT world is a learning experience.  Earlier this week we had a medical IT client come to us with a problem.  The client was giving away free samples of their product to those who would request it.  It didn’t take long for the miscreants out there to make a program to request multiples of the ‘free sample’.  After all, if it’s free, we want it, whether or not we need it, right?  We’ve done this for as long as we can remember, always scouting out the free samples in the grocery store while standing on the front of the cart being a nuisance to mom as she makes her grocery rounds.  At that time though, the only spam we knew was the deliciously salty canned meat, now it’s unsolicited email, or in some people’s minds, email they just don’t want.  (but it’s free, how could they not want it!)  It can also be considered spam when multiple bad requests are sent to a commercial website form, though traditionally spam is in the reverse.  This is what we had taking place, the bot spamming for free samples.

Like I said before, website security is generally a learning process.  When one security hole is patched up, the malicious finds another, so as they learn to defeat us, we learn to protect us.  I find that rules and regulations make these sorts of people only more inspired to break the rules because of the challenge, but when things are left to the simple, such as requiring a second click in an email to verify the email address, it becomes too tedious, and not interesting.  So, rather than going through the process of setting up a new email, checking it, clicking on the link in the email, they’d just as soon forget it and move on to something easier, or more fun.  So the rule continues, keep it simple whether you’re building a secure application holding patient records and needing to follow HIPAA compliance or a Medical CME.