The Spam Omelette #63

Remember those newsletter spam messages? Keep


If you happen to have just joined our newsletter, please do have a look at our testing methodology and spam map generation procedures before reading any further.

Week in review: November 29 – October 6

Spam omelette 63

1. Canadian “Newsletters” (NEWSLETTER = 5.12%)

For about one year now, newsletter-like spam messages have been the favorite method of packaging unsolicited mail. This week’s number one word in the BitDefender spam top is NEWSLETTER, and it is mostly found in bulk mail advertising Canadian Pharmacy pills, among others. The most interesting spam wave abusing the above-mentioned word advertises a fully-fledged spam service including mail servers, a 12-million mail address database AND the HTML templates to conveniently spam out the so-called “newsletters”.

Newsletter spam

The all-in-one spam service

2. Click, click, you’re infected (CLICK = 2.95%)

The word CLICK comes in second this week with nearly 3% of the top words used in spam. Not only  is it a prominent member of the Spam Omelette, but it is also associated with a spam wave that’s, well, pretty unfriendly, to say the least. This is one of the few spam waves that come bundled with malware disguised as harmless e-cards. In order to trick users into running it, the file comes with a double extension (.gif.exe), so if the operating system is set not to display known extensions, you’ll only see the file named card.gif. Inside the package, there’s Backdoor.Zapchast.PI which will give full control over the infected machine to a remote attacker.

click Spam

Yet another Welcome to the botnet greeting card.


3. The polite conman (PLEASE = 2.76%)

Ranking third in this week’s spam top, PLEASE accounts for 2.76 percent of the most frequently used words in unsolicited messages. The largest spam wave abusing the word is a classical Nigerian scam relocated in Hong Kong for extra credibility. Unlike other attempts of this kind, the scammers behind the spam run don’t expect to rip you off, but rather build a nice e-mail address database of persons who are naïve enough to reply to this kind of messages.

Please Spam

How about some easy money?


4. Subscribe again to spam (SUBSCRIBE = 2.70%)

This week’s fourth contender rises up to almost half of the first runner’s number of occurrences. It is mostly encountered in bulk mail advertising Canadian Pharmacy products. This specific spam wave uses a newsletter-like template with a central image and multiple footer links, a classic approach for Canadian Pharmacy and the like. This Canadian Pharmacy clone is hosted in Russia, but prior to taking the user to the landing page the site performs a number of redirects and also adds the victim’s e-mail address to a “spam-me-more” database.

The newsletter that lets you do anything but unsubscribe

5. BUY cheap knock-off pills (BUY = 2.19%)

The word BUY concludes this week’s spam survey and it is mostly related to medicine spam and replica accessories, such as bags and watches. If you’re on the look-out for prescription-based drugs or for a premium present for your significant other, then you’d better look somewhere else, or else you’ll end up with no merchandise or money on your credit card.

Buy Spam

Plenty of pills to choose from. Some of them are illegal, others are simply dangerous.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.