The Spam Omelette #5

Welcome to our fifth report on spam messages for the week that ended November 23. Before proceeding any further, please make sure that you are familiar with our spam testing methodology and map generation. This week

Spam omelette Map


1. The EMAIL message has
it all

This week’s
favorite word in spam messages is “EMAIL”. It has been detected spelled both as
“email” and “E-mail”, but they both point to the same thing, after all. Spelled
as “Email”, the word is frequently encountered in Brazilian spam messages
advertising telephony and Internet services.


The other
instance of the word, spelled as “e-mail”, has been detected mostly in messages
impersonating Hallmark e-cards. Basically, the spammer perfectly imitates a
legitimate message allegedly sent by the greeting card company. All the links
included in the message direct users to an infected webpage that automatically
triggers a drive-by download. The downloaded binary file is an executable
application that installs an IRC bot on the host computer. The bot would
immediately add the infected computer to the Srizbi botnet, a network of rogue
computers that is mostly responsible for sending fake, infected e-cards.

Hallmark spam


2. CLICK here for extra
product spam

Product spam
witnessed a significant decrease over the last two weeks, but it is on the rise
again, as we are getting closer to the Christmas shopping spree. Deeper
analysis revealed that the word “Click” comes in spam messages advertising Rolex

Spam example



Come visit us, PLEASE

Ranking third on
our weekly spam top, the word “please” has been identified mostly in messages
associated with the Canadian Pharmacy business. Although the image accompanying
the message is unchanged from the previous campaigns, this week’s spam wave
mentions the recipient’s address and even provides a forged link to
unsubscribe. This small tweak adds extra legitimacy to a message known as spam.

 Please Spam



4. NEW Year, new spam

The word “new”
ranks fourth in this week’s spam top. BitDefender analysts identified a single
type of message abusing the word. This spam campaign advertises luxury replicas
ranging from designer bags to watches and jewelry.

New year Spam


here and here.

Fake “unsubscribe”
links attached to spam messages have become a standard in the spam industry.
This kind of links not only that makes the message look legitimate (it usually
impersonates a newsletter sent by a respectable company), but also helps
spammers to validate the actually used mail addresses in their databases.
Unsubscribing from a spam list would also tip the spammer that the end-user has
limited security knowledge and might be a potential target for subsequent spam
/ malware attacks.

Unsubscribe spam

Deeper analysis
revealed that some e-mails in this type of campaign would often include
multiple unsubscribe links. Please note that clicking on any of these links
would actually enroll you in other spam campaigns, and you might even receive malicious

What’s new in the spam landscape?


Given the fact
that winter holidays are only one month ahead, product spam is on the rise.
BitDefender expects new spam waves advertising the perfect Christmas gift,
along with other security threats. The Srizbi botnet has already started
sending forged Christmas e-cards (please note that our spam map already
registered the word “card”), which point unwary users to malicious binary files.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.