The Spam Omelette #17

Week in review: March 4-11

1. EMAIL listed as number one for six weeks

The undisputed leader in the spam world, the word EMAIL managed to score a six-week record as the top term used in unsolicited messages. The BitDefender spam researchers identified the term in two spam campaigns, namely a batch of messages sent by Canadian Pharmacy, as well as a smaller campaign in the Nigerian scam family.

The first series of messages started showing up on March 7 and spammers seem to have been extremely active since then. More than that, these unsolicited messages feature generic subjects meant to trick the user into opening the message. On a side note, the message always displays the sender's address to be identical to the recipient's one

The second spam wave featuring the word EMAIL is a simple Nigerian scam with a taste of social engineering. The message allegedly announces the recipient that they are required to pick a bank draft, but they would have to provide the scammer with some „minor" details, such as the full name, the home address, as well as the personal phone number.

These pieces of information can be used by an attacker to successfully carry other 411 scams, or even to steal the victim's identity.

2. PLEASE  bring in new spamming techniques

Ranking second in our top, the word PLEASE has been identified in yet another spam batch sent by Canadian Pharmacy, one of the most active spammers this month. The word appears in the message footer - more to the point, in the forged disclaimer mentioning that the respective message comes from a legitimate organization (in this case, the about.com portal).

The main point of attraction is not the blocked image, but rather the link placed under it. Spammers seem to shift away from image-based unsolicited messages, as spam filters are getting more and more efficient in sorting this type of emails.

3. DIE / DER / UND used as background noise

Althogh the above-mentioned words managed once again to show up on the spam map, a closer look on the analyzed spam stock revealed that they do not show up in the message body itself. Instead, just as we announced a couple of weeks ago, they come from commented German text inserted in the email template. Commented text is neither displayed by the email client / browser nor processed by the HTML parser. It is usually inserted by programmers ib between lines of code for documentation purposes only, but this is also a good method of bypassing image-based spam filters.

4. CLICK here for a job, get medicine spam instead

Ranking fourth in this week's spam top, the word CLICK has been identyified by the BitDefender antispam researchers mostly in unsolicited mails coming from the Canadian Pharmacy business.

Disguised as a part-time job proposition, the message would display nothing but an image depicting the Canadian Pharmacy logo along with the pills it sells. Interesting enough, spammers seem to exploit the precarius situation of the US economy and build on users' curiosity to convince them open such messages.

5. UNSUBSCRIBE here to terminate your inbox

This week's spam top has been dominated by Canadian Pharmacy's messages. The greatest spammer in the world sends messages with forged unsubscribe links that allegedly allow users to remove their addresses from the mailing list. However, as tests prove, right after unsubscribing, these messages not only that don't cease, but they are sent more often and in larger amounts.

If you have already made it into such a mailing list and would rather keep your address rather than terminating it, don't use the unsubscribe link. Instead, you might consider purchasing and deploying a security solution with antispam filters.

What's new in the spam landscape?

• Canadian Pharmacy accounts for the lion's share in sent spam. Although their default mail template has remained unchanged, spammers have increased the list of sentences to be used as subjects. From "Stick to Plan B. Pills preventing pregnancy" to the mysterious „See him, he may help", spammers exploit users' curiosity in order to make them open the message.
• PokerSavvy, the online gambling agency that once was the most important source of spam is now taking a break. Given the fact that they are promoted by Bronto.com, an online marketing agency, the financial crisis might have forced them to adjust their advertising budget quite a bit.