The Spam Omelette #62

Welcome to this week

Week in Review: June 30 – July 7 2010


Spam Omelette Map

1. UNITED, but not as in the USA

The previous week’s analysis revealed the presence of the word UNITED as top term in spam. Strangely enough, it was not accompanied by the other keyword that could make any sense of it: States. A closer look into the honey pot showed that UNITED was used in a different context, namely a medicine spam campaign based on lots of text and a centered image.


Image spam with “junk” text to bypass Bayesian filtersThis massive spam wave contains  messages of approximately 12 kilobytes, each of them having identical or extremely similar templates. And, if you’re wondering where you’re getting this kind of spam from, then you should know that the Rustock botnet is hard at work and a single infected computer –maybe your neighbor’s or even yours – can send about 25,000 such messages per hour.

Spam Wave

Most of the spam subjects look alike

2. CLICK  for instant credits, survey money  and pirated Photoshop®

The word CLICK has been our no.1 champ for quite a while. It seems the good old days make a comeback with it ranking second – mostly because of the wide range of campaigns that abuse this word. Just as expected, the largest spam campaign featuring the word CLICK tries to push Canadian Pharmacy knockoff Viagra sold via a daisy-chain of Russia-based websites.

Click Spam

Viagra spam in its purest simplicity

Unlike the Canadian Pharmacy spam campaign described above, these templates are only made of a text link and a picture link leading to one of the Canadian Pharmacy website clones hosted in Russia. However, these links come with a twist: as the unwary users visit the link, their e-mail address is passed to the web browser as a GET parameter and validated against a human-operated e-mail address database. In this way, spammers will know that your address is in use and that you’re naïve enough to open spam mail.

The second spam wave involving the word CLICK is an aggressive invitation to purchase “heavily discounted” (read pirated) versions of popular software, including Adobe® CS5 Master Collection,  which is discounted from $2599 to just $179.

Click Spam 2

Heavily discounted software has never looked more suspicious

Well, if you’d like to know the magic behind this type of discounts, then here’s the deal:

  1. You’re buying a trial version of the products listed in the offer + an illegal key generated with a keygen application;
  2. You’re buying a genuine license key which has been stolen from a legitimate buyer’s Trojanized computer. As soon as the entitled user detects that he can’t get updates or use the product, he’ll have the license revoked and renewed. Be warned: you won’t be able to get any refund.

The third significant campaign involving the word CLICK is an old-fashion scam aimed at luring users into purchasing the secret “Get-Rich” recipe: make loads of money without even blinking. It sounds too good to be true, right? It surely is.

Click Spam 3

Click-monkeys needed for some nice Adsense abuse

3. Be the FIRST in the Russian Brides Scam

The word FIRST ranks third in this week’s issue of the Spam Omelette. It is mostly encountered in an odd breed of spam using ASCII art to render the message. ASCII art spam is impossible to detect using traditional approaches in anti-spam technologies, so it is more likely to hit the user’s inbox.


First Spam

ASCII-art: old but not forgotten

In order for the message to appear as legit as possible in the e-mail client, the spammers have included a readable first line of text, reading Love at first sight. The message also includes two links that take users to websites with various profiles: Canadian Pharmacy, Acai Berry pills and online dating.

Mini Spam

4. Get your useless UNIVERSITY degree now!

In the context of unemployment reaching alarming heights, spammers have re-initiated their fake diploma offensive. If you’d rather skip the hard work during college and have a diploma delivered via snail mail, then you’d better think twice: you’ll only get a worthless piece of paper in exchange of a 4-figure sum of $$. The fine print clearly states that it’s non-accredited, but it would at least look uber-cool in a frame on your wall.

University degree

Forged university degrees to go with a forged message

5. Numb and NUMBER

The word NUMBER concludes this week’s spam top and has been mostly identified in messages promoting yet-another-advance-fee-fraud scheme with a twist of ID theft. Shortly put, the submissive banker from [insert country here] has a fortune too many and would like to wire it to you. You will, however, need to offer him the necessary contact details – basically every piece of your personal data – and deposit a trivial sum of money – say $50K – as “processing fees”. Sounds pretty convincing, eh?

Number Spam

A 411 by any other name…

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.