The Spam Omelette #15

Welcome to a new issue of the Spam Omelette, BitDefender

Week in review: February 18 – 25

Spam Omelette

1. EMAIL  ranks first, again

This week, the word e-mail has been spotted in three flavors, namely Email, E-Mail and Mail. Spelled as EMAIL,
the word has been identified by the BitDefender spam researchers in unsolicited
messages promoting natural weight loss products alleged to perform miracles in
a short period of time. The message features a simple mail template with no
additional images or links. Users are advised to sign up for a trial by sending
a message to an included mail address.

A closer look on the message revealed that this type of spam is not
promoting any service or goods, but is rather used by its authors to create
massive databases with users’ mail addresses and private data which would then
become available for purchase on the underground market.


Other variations of
the word have been identified in both Nigerian scam letters (especially spelled
as E-MAIL) and shady loan offerings,
where the word appears spelled as MAIL.


First thing first: the Nigerian scam, the old but goldie confidence
trick tells the lacrimogenous story of a freshly-passed away Nigerian authority
that had designate the recipient as the only heir of his tremendous fortune. In
order to gain recipients’ confidence, the spammer even includes links to
miscellaneous electronic newspapers that had written about the incident.
However, a closer look on the message reveals that the mentioned publication
( links to a free blog built on the platform.


As for the fund
offering, the link to the webpage links to a script that only abuses Google ads
on a specific page, after which the user is redirected to yet another message
announcing the termination of the campaign.

makes it back into the top

Ranking second in our
weekly top, the word PLEASE has been spotted in messages promoting Canadian
Pharmacy drugs. The template includes images too, as well as a link to a
website, which users are advised to access if the images are blocked on privacy

The template also
includes a footnote with an unsubscribe link, although it has been forged and
won’t really remove users from the spam database, but rather validate their
addresses for future campaigns.

Please 8


to get your air tickets

The word click has been spotted in unsolicited email messages allegedly
asking for air-ticket purchase confirmations. The message template is clean and
simple with two images and a link to be followed if the email client refuses to
display the images. These campaigns are carried by independent parties using
the Hydra Online advertisement network.

Click Spam

4. German
words UND and SIE make an aggressive comeback

Although German spam witnessed a tremendous downturn during the past
week, this week’s spam map still reveals German-origin words, especially UND (translation: and) and SIE (translation: you
respectfully). These two terms are found in identical proportions, but they
failed to surface in any screenshot. The reason for this is the fact that they
are contained in dummy text inserted in the Canadian Pharmacy template we
talked about in PLEASE. Given the fact that the Canadian Pharmacy campaign
heavily relies on images, spammers have added HTML comments with lots of German
text in order to trick spam filters. Since it is commented (ignored by the
email client), the user won’t see the text when opened with a specialized

German Spam

5. Information: How to waste your money playing
online poker

Ranking last in our weekly top, the word INFORMATION has been detected
in messages promoting offerings coming from miscellaneous online casinos.
Unlike PokerSavvy, the new campaign does not rely on online marketing
companies, but rather on mailing lists purchased on the underground market. As
usually, the unsubscribe link is invalid, thus disallowing users to remove
themselves from the spam database.


Information Spam

What’s new in the spam landscape?

  • German
    terms are still visible on the spam map, although they are invisible to the
    end-user. They are used as ballast texts for tricking antispam filters;
  • Product
    spam has witnessed a downwards spiral as the Valentine’s Day was left behind.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.