The Spam Omelette #15

Week in review: February 18 - 25

1. EMAIL  ranks first, again

This week, the word e-mail has been spotted in three flavors, namely Email, E-Mail and Mail. Spelled as EMAIL, the word has been identified by the BitDefender spam researchers in unsolicited messages promoting natural weight loss products alleged to perform miracles in a short period of time. The message features a simple mail template with no additional images or links. Users are advised to sign up for a trial by sending a message to an included mail address.

A closer look on the message revealed that this type of spam is not promoting any service or goods, but is rather used by its authors to create massive databases with users' mail addresses and private data which would then become available for purchase on the underground market.

Other variations of the word have been identified in both Nigerian scam letters (especially spelled as E-MAIL) and shady loan offerings, where the word appears spelled as MAIL.

First thing first: the Nigerian scam, the old but goldie confidence trick tells the lacrimogenous story of a freshly-passed away Nigerian authority that had designate the recipient as the only heir of his tremendous fortune. In order to gain recipients' confidence, the spammer even includes links to miscellaneous electronic newspapers that had written about the incident. However, a closer look on the message reveals that the mentioned publication (punchtoweb.com) links to a free blog built on the Wordpress.com platform.

As for the fund offering, the link to the webpage links to a script that only abuses Google ads on a specific page, after which the user is redirected to yet another message announcing the termination of the campaign.

2. PLEASE makes it back into the top

Ranking second in our weekly top, the word PLEASE has been spotted in messages promoting Canadian Pharmacy drugs. The template includes images too, as well as a link to a website, which users are advised to access if the images are blocked on privacy reasons.

The template also includes a footnote with an unsubscribe link, although it has been forged and won't really remove users from the spam database, but rather validate their addresses for future campaigns.

3. CLICK to get your air tickets

The word click has been spotted in unsolicited email messages allegedly asking for air-ticket purchase confirmations. The message template is clean and simple with two images and a link to be followed if the email client refuses to display the images. These campaigns are carried by independent parties using the Hydra Online advertisement network.

4. German words UND and SIE make an aggressive comeback

Although German spam witnessed a tremendous downturn during the past week, this week's spam map still reveals German-origin words, especially UND (translation: and) and SIE (translation: you respectfully). These two terms are found in identical proportions, but they failed to surface in any screenshot. The reason for this is the fact that they are contained in dummy text inserted in the Canadian Pharmacy template we talked about in PLEASE. Given the fact that the Canadian Pharmacy campaign heavily relies on images, spammers have added HTML comments with lots of German text in order to trick spam filters. Since it is commented (ignored by the email client), the user won't see the text when opened with a specialized client.

5. Information: How to waste your money playing online poker

Ranking last in our weekly top, the word INFORMATION has been detected in messages promoting offerings coming from miscellaneous online casinos. Unlike PokerSavvy, the new campaign does not rely on online marketing companies, but rather on mailing lists purchased on the underground market. As usually, the unsubscribe link is invalid, thus disallowing users to remove themselves from the spam database.

What's new in the spam landscape?

• German terms are still visible on the spam map, although they are invisible to the end-user. They are used as ballast texts for tricking antispam filters;
• Product spam has witnessed a downwards spiral as the Valentine's Day was left behind.