Attachments and Blank Messages Assist Spam Spike

Over the past few weeks we’ve observed an increase in spam emails carrying attachments of various file types, such as jpg, jpeg, png, zip, and rtf. Attachment spam volumes slowly crept upward between May 1 and June 13, 2009.

The main target of image spam is the health spam category, which usually has an embedded jpeg, jpg, or png image promoting ED pills. We’ve observed a spike in spam carrying rich text format (.rtf) attachments between the last week of May 2009 and the early days of June 2009. The email has a blank message body with an attached .rtf file of approximately 360 bytes. This file contains online pharmacy promotional messages and a URL that leads users to an online pharmacy store. These emails use random subject lines that are usually obfuscated, misspelled, or even meaningless.

Various subject lines observed in these spam email are as follows:

Subject: Woman strrips after wolf whistle
Subject: Teacher Suspended For offering Extra credit Foor Wendy's Cups
Subject: When Dogs Are Musles
Subject: Coach Stops Runawway Horse by Biting Ear
Subject: Japanese Pop Queen's Mom In Fighht With Feds
Subject: Study Finkds Mormons Weigh More
Subject: Some sort off scary animated-real video (WMV)
Subject: Hollywood Pgigeons Being Put On The Pill
Subject: Maan Gets Lost Ring Back for Second Time
Subject: Sky's the limit as rich Chinese bauys ticket to space

Below is an example of .rtf attachment spam:

We’ve also observed spam samples containing malicious attachments where the mail is falsely sent as a delivery failure notification from a reputed money transfer/parcel service, including an attachment that is purportedly a copy of an invoice. In this pathetic effort of spreading malicious code, the spammer requests that recipients print out the attached invoice, which is actually an executable (.exe) file.

Along with spam carrying attachments, we’ve observed an increase in “blank body” spam messages. Such spam campaigns are run by spammers in an attempt to find valid/existing email addresses at a certain domain (also called a directory harvest attack, or “DHA”). This particular spam sample has a blank message body with a blank subject line, and no URLs or attachments. The “From” header is spoofed.

Below is some examples of a DHA attack and spoofed “from” header:

From: uqmmblyhqnq@[removed].com
From: tennent@[removed].co.nz

As always, Symantec advises that email users avoid opening attachments from unexpected and unsolicited emails, and fight against such attacks with up-to-date virus definitions.