- August 16, 2023: New Grading & Finding Behavior sections.
- May 8, 2020: Updated risk vector description.
⇤ Compromised Systems Risk Category
The Spam Propagation risk vector is composed of spambots, where a device on a company’s network is unsolicitedly sending commercial or bulk email (spam). If spam originates from email addresses or devices within a company’s network, this is an indication of an infection.
If a company offers a bulk email-sending service, such as a digital marketing company that sends marketing material on behalf of their customers, they are excluded from this risk vector. These companies are identified with a “Bulk Email Sender” label on their company overview page.
See data collection methods or the criteria for classifying findings as Spam Propagation.
Risks
- Damage to a company’s reputation.
- Abuses company resources.
- Legitimate email from the company may be flagged as spam and will not reach its intended recipient.
- Increases the risk of additional malware entering organizational systems.
Grading
Compromised Systems risk vectors are graded in the same manner. They are weighted evenly across the risk category and have a lifetime of 180 days.
Remediation
Review Spam Propagation findings and track down infections.
- Conduct a thorough security review of the machine (malware & antivirus sweep).
- Review services used on the machine, harden firewall rules.
- Improve employee computer safety training (phishing, installing unapproved software).
Finding Behavior
User-requested refreshes are not available for Compromised Systems risk vectors.
As the negatively impacting finding gets older, you will gradually get points back.