So, I built a tool to help users check whether or not an email is scam/spam/phishing email.
Simply forward your suspicious emails to [email protected] and get a reply within 1 minute.
Our system analyses the content and context and generates a report, all for free.
Hope this helps users with elderly parents and less tech savvy users.
Check out isthisspam.org if want to know more about us.
Hi, thank you for your feedback :)
The whole point of the tool is to make it easy for users to simply forward the email to a email address, with no login and no BS.
The primary audience is your less tech savvy users like parents who get scam emails so they could simply forward the email to our mailbox. We do not use this data for any purpose, marketing or otherwise. All other content scanners are hard to use or require you to create an account, which I hated, hence built this tool.
MAJOR drawback
Potential vector to be scammed if you forward legit emails.
Don't think I understand your point. You think forwarding your emails to a legit service will increase your chances of being scammed?
How do I know your service is legit? The Nigerian Prince also said he was legit.
@tenpercent: Fair point. That's something no one can make you trust as I am someone on the internet, just like the scammer.
I realise you are making a point around trust but how would we be able to hack into your emails even if we got your 'legit email'?
First point is, we only recommend you forward any suspicious emails. Think your elderly getting emails for 10k lucky draws. This will reduce the chance of us getting legit emails.
Also, we have enterprise plans and can provide you resources to "build your own" is this spam like instances should you require.
@ultrondev: Firstly: I can see where yr coming from and having a FWD option seems most frictionless.
Yet @tenpercent perfectly adroit point is: people could be fowarding potentially legit mail, with potentially sensitive personal info in it.
Not at all claiming yr a scammer, yet if you were, this would be a great way to collect such data for identity theft.
@nessism: Also, if something is "free", then YOU are the product ;)
Great way of collecting valid email address and customer details to be sold directly to data brokers ….
It's also a self for-filling prophecy, ie - collect personal details > sell to brokers > collect more personal details from more spam emails being generated from the sale :/
@7ekn00: Not always. I hope you realise most of the software industry runs on Open Source products with millions of Dev hours spent for free. I realise companies have now ruined trust forever, however I will do everything in my capacity to naintain trust in my service. I have my family and friends using this so this is a personal project for me too
Also we do make money via our enterprise customers which helps keep this free, hopefully forever.
Feedback like yours are valuable and I really appreciate your feedback. Please feel free to DM me and I can organise a session with you walking you though my mission and the backend of this service.
Browser extension for forum posts coming soon?
..or was this a failed test?
Not sure I understand your question, could you please reiterate?
We have a browser extension in the works so the whole email check process could be automated with no manual email forwards required.
We have a browser extension in the works so the whole email check process could be automated with no manual email forwards required
So would this browser extension automatically "scan" every email?
Nope. there will be a button to click, once they click on it it will run the scan and show the result. Over time I'm hoping to do it entirely on the users device for complete privacy, but I think we are about 6 months away from being able to do that, technology wise.
@ultrondev: How would running it entirely on the user's device work? Would the extension have its own phishing specific LLM somehow? Or would you leverage the user's OS's own AI?
@kiitos: You'd have a copy of a fine tuned LLM downloaded onto the user's browser, along with our other checking mechanisms. I think models right now are too big for this purpose but over time this will go down.
Unless there's a new massive feature, we won't need to communicate with the extension ever so this would solve the problem of any data being sent to the internet via this extension.
could you please reiterate
Browser extension for forum posts coming soon?
..or was this a failed test?
Lol thanks for that!
As you know an extension is on the works, so sign up if you want to!
If I spoof the from address, will it send a reply ?
Not too sure, give it a go! I've been having fun doing various testings with my friends.
This sounds like a fun way to get scammed, ironically.
Soon-to-be-victim:
Is this legit email from my bank a scam?
Your-scam-checking-service:
cha-ching
Now-victim:
Hi Ozbargain, it's me Pam and I've been scammed… again!
Whilst I appreciate your feedback, this does not seem true.
I realise you are making a point around trust but how would we be able to hack into your emails even if we got your 'legit email'?
Maybe I won't be able to convince you to trust you here but happy to have a talk around my mission and the business case so we can get you as an user perhaps?
This was my first thought.
Also OP, what's your name? Or reg business number?
Hi, My name is Puskar and I run another small business called Ultron Developments.
https://ultrondevelopments.com.au/
We specialise in AI and Microsoft 365 solutions hence this was a natural extension.
In your Privacy Policy you state:
- Data Security
We implement industry-standard security measures to protect your information from unauthorized access, loss, or misuse. However, no data transmission over the internet can be guaranteed as completely secure.
Can you be more specific about what industry you are referring to, and what specific security measures are used?
The Privacy Policy doesn't mention anything about data storage or retention. Do you or a third party store emails that have been sent to the service and if so for what length of time and for what purpose?
The data harvesting industry
Hi, as I built this, this was just an idea and the privacy policy was a boilerplate I got. I use Office 365 in Australia to facilitate the service for now so standard Microsoft 365 retention policy applies.
However, the platform does not use this mailbox data for any other purposes than to provide you with this free email reports.
So you are fowarding emails (that have been forwarded to you) to chatgpt and/or Gemini and asking if it's a scam.
I'd consider this service a scam and a privacy nightmare.
Hi mate, thanks for the feedback, I have plans to move to a self hosted LLM but the costs seem to be astronomical. I use Gemini/OpenAI all the time so I trust them more than you I guess. However, our enterprise plans enable self hosting options.
I can't find any information about who owns or runs isthisspam.org.
An ICANN lookup of the domain yielded "DATA REDACTED" for all identifying fields (Name, Organization, Mailing Address).
The only information I can tell is that you are in Western Australia (or at least specified that in the registration).
Can you tell me more about who is behind isthisspam.org?
Sure, happy to have a chat if you prefer, I am based in WA, and run a small business, Ultron Developments. The intent behind this is to help users provide a seamless way to protect themselves from scams. The service is free because it's subsidised by enterprise plans, hope that helps.
Shoot me a DM if you'd like to see the behind the scenes of the tool or learn more about who I am :)
I tried to upload this thread to see if it was a scam or just spam.
I think it classifies as Community Service and a bit of marketing but I see your point too.
It doesn't pass the test with me.
What would make this tool pass the test with you? I'd really appreciate your feedback
@ultrondev: By not contradicting yourself.
On your website here:
https://ultrondevelopments.com.au/isthisspam
You say
Privacy First – Your email content is never stored, ensuring complete confidentiality.
Yet on the isthisspam website you say
Data is sent to Google and OpenAI services for analysis,
Both google and OpenAI store data indefinitely.
Therefore if a semi-literate bogan can poke holes in your policy, what else is either wrong or untrue?
@Bruceflix: Both Google and OpenAI on their enterprise plans say explicitly that they do not use this data to train their AI and have a deletion window of 30 days, which I believe I need to reflect in the privacy policy.
Will update the website to reflect any potential red flags as I want this service to be as trustworthy as possible.
Thanks for that, really appreciate your feedback. This is very valuable 😄
Yes we all want our parents forwarding their private emails to a random guy who could replace legit links with actual phishing ones, great idea.
Lol wut? Have you even tried the service? Btw I am doing some more work in the website around building trust, so stay tuned.
So if your service says an email is legit and it turns out to be a scam do you have insurance for the impending lawsuit?
Thanks for that, hadn't thought of that yet, but to think of it, do google or Microsoft get sued when the classify emails as spam? I'll need to look into this and maybe get insurances.
Difference is, Microsoft and Google aren't commercial services where their only offering is determining whether something is a scam. A mistake by your service (chatgpt) could potentially cost the client thousands/millions.
Your liability insurance is going to see the free service disappear quickly. If not abandon the whole project.
Thanks for the feedback, that looks like something I can fix in T&Cs as I want to keep this paid service free. However will discuss with insurance providers tomorrow :)
@ultrondev: Your T&C don't trump Australian Consumer Law but I shouldn't have to remind you of that.
@Bruceflix: Of course! I'll look into this a bit more and maybe speak with insurance agent so this doesn't go out of hand.
Make sure you read info on the web site as the data is NOT secure as per the following info on the web site:
File Uploads & API Use: When you upload files, they are processed using third-party APIs, including Gemini and ChatGPT. These files may be sent to their respective servers for analysis and processing.
Hi, yes we use ChatGPT and Google Gemini for file processing so we will need to trust them for the time being with the content. However from someone who's in the tech scene for a while, I would trust them as I would my mail provider.
I absolutely disagree with this. I don't trust anyone with my email and certainly not Google. Remember, this is a company that dropped the motto "Don't be evil."…
Whilst I understand your point of view, I feel like you might be in the minority. If you use the internet, you are trusting these mega corps.
Hope you stay tuned so we can get you as an user, we are building a fully on device version of this product.
I won’t use your service, however I back your initiative. All the negative Nelly’s will just help build your product into something more robust and allow you to enhance services over time. Imagine Gates, Jobs, even the Canva cofounders stopped their ideas and visions on the first attempt of something because of nay sayers? Just remember my comment when you hit your first billion.
Thank you, the feedback here is quite valuable. I have some good notes from here today, will come back again with some updates soon.
It sort of makes sense, but doesn't as well.
The problem is that if you know about this service, you're also probably tech savvy enough to spot scam emails.
If you're prone to scam emails, then you probably aren't tech savvy enough to use this service.
Otherwise, as others mention I would never recommend this service to my parents due to the fact you could be scamming them or harvesting their personal details. You'd need a proper brand name and built a lot of reputation first, and that's a circular problem.
Lastly it's problematic because there's no clear sign of how you make money. At some point if this was successful you'd want to start injecting ads, selling personal data or similar to make money. Not something I'd want in a service.
Thank you for your feedback, much appreciated.
I am working on making some robust changes, mainly around trust, which hopefully will make it easy for users to trust us.
Also, I never intend to make money from this service and want to subsidize this with our enterprise plans.
Lol everyone always loves to shoot down anyone who tries to do anything innovative. Question why and they will have a never ending list of justifications. I’m just glad that you are providing a useful service :)
Thank you for your kind words 🙏
I don't mind the comments, any feedback is good :)
I don't think that most comments are designed to shoot down anything. They are all first impressions comments and the potential roadblocks that may affect the success of such a service. Most are reasonable - you are being asked to forward you emails to someone you don't know and they promise to perform a service for free. It is clear that offering such a service would have had a development cost associated as well as ongoing operating costs. Questions about funding and suspicions about data being harvested are only natural as the standard modus operandi for most online services comes with a lot of strings attached.
If the service does become popular and sees a major uptake, the cost of providing it may sky rocket and at that point something has to happen. Of course, there is also the security aspect. It will be a high profile target for black hat hackers. Good security isn't easy or cheap.
100% agreed on the first one.
On the second however, my operating costs are quite low, which made me explore this service in the first place as the costs can be easily subsidized by the enterprise plans.
Our attack vector is low as we are simply providing information back to the user via email however we will improve the features as we go.
Most often than not, good security is common sense and cheap, look at how much 2FA as a practice changed the world of cyber security or Let's Encrypt as a company with not much cost involved.
subsidized by the enterprise plans
I sincerely wish you good luck with that. Getting a real enterprise contract (especially on what is meant to be a security related product that could potentially handle sensitive information) is not going to be easy. You might have more luck with small to medium size businesses.
good security is common sense and cheap
The thing about common sense is that it is not so common after all. What seems obvious to one person has not even crossed the mind of another.
look at how much 2FA as a practice changed the world of cyber security
2FA (especially the most common implementations), just like the password rules requiring mixed case, digits & special characters that came before, are a small step that provide a warm blanket for management types. It isn't real security.
or Let's Encrypt as a company with not much cost involved
They've done a great deal of good for transferring information with encryption, but again, this isn't a security solution.
Real security requires ongoing management and monitoring. It requires multiple barriers. What was thought to be bullet proof on Friday might be exploited over the weekend. If a target is valuable enough for a determined black hat, slapping a bit of encryption on information in transit is not going to stop them.
However, I say go for it! Be prepared for a fair amount of scrutiny and turn that to your advantage. The earlier you get that feedback, the better your chances of steering the ship in the right direction.
@peteru: Thank you for your kind words!!
Yes enterprise plans are hard to get and maintain but we do self hosted versions of the product and we already have some pretty good use cases where our product excels over that of GSuite or Microsoft and I can confidently say this is the worst our product will ever be.
The feedback here and the passion has already made some of my future vision more cohesive and I will keep investing and innovating :) Stay tuned for some good updates.
@ultrondev: Just had a quick look around the web site. There is no IRL contact information, no ABN or anything that would identify any responsible individual behind the website. A whois query shows a cloaked Cloudflare registration with all details redacted. Web site uses Cloudflare DNS redirects / CDN to hide the real server origin. MX points at outlook.com.
All those things would be red flags for me.
First off, props for your initiative.
It's great that you're having a go at it, but also seem quiet naive about the whole thing.
I think all of the above comments has already highlighted all the main issues with your system, especially along the lines of trust and security.
But as someone in the industry, I can see 2 major flaws in your system.
You're using a 3rd party(outlook) email provider for your emails, this means you are restricted by Microsoft's own spam filtering system. If someone forwards you an obvious spam email, MS will block it before it even reaches you, in some cases, they will blacklist the sender thinking they are a possible spammer as well, would you want this to happen to the people you are trying to protect?
Forwarding an email will sanitize the email of it's original vital information, such as originating server, which spam filtering services use to determine if it's a suspicious email. All that you're left with is just a copy of the email's body, there is only so much you can do with that.
Thank you for the kind words.
To expand on the technology for this purpose, I am using O365 with explicit instructions on this mailbox so that no email is sent to junk.
Also there is an enterprise version whereby we can plug into the org mail server securely which will remove this issue by default
Spam filtering services normally work by using this exact method. But during my testing and experience they miss out on context. Our system reads the entire email on html format, hence can see hidden links and has contextual awareness. Think of people being phished for info or chatted up to ask for money down the line, all this info is on the forwarded email, which in turn will help people from being scammed.
Thank you for your feedback and encouragement, I have updated the website with some more info.
Some things in the works:
1. I finally got some budget to self host the models so no more dependency on OpenAI or Google. This will take maybe a week to complete.
2. An about us Page for this project to put a face to the product.
3. Made the Chrome extension a priority, hopefully should be ready in a couple of months and maybe a third party audit too for more trust.
I'll update you as we make these changes. In the meantime, feel free to DM me if you have any queries
Hello all, a bit of an update, I've updated the core now to use Microsoft 365 servers in Australia, with stronger data protections and have diteched OpenAI or Gemini by Google.
The website has been updated with some crucial info, hope to get your feedback on it :)
Seems you did a very good job, but sending emails to your email address (instead of automated content scanner online tool) a bit drawback point.