Glued Body Spam Attacks

Spam messages with empty bodies are often associated with “directory harvest attacks,” which is a spamming technique where email servers are bombarded with thousands of emails in the hope of discovering the valid ones; or it may be that the call to action is entirely contained in the subject line (as is described here). In recent weeks Symantec has been observing a different type of blank-body spam attack.

In these attacks, when the message arrives on the end-user’s machine, the “subject,” “from” line, “to” line, and “body” are all completely blank. If the full message headers are examined, a typical pharmaceutical spam advertisement can been seen in the message headers, along with the content headers from the data stage of the SMTP conversation, as shown below.

This may occur when there is no line break or whitespace in the MIME headers, which would help email clients interpret the different parts of the message and display it to the user—hence the term “glued body,” since the body is glued to the headers. This may be a deliberate attempt to bypass spam filtering in the hope that a later server or email client may somehow be able to parse the message and display it correctly.
 
Thousands of zombie or spambot-infected machines around the world are known to be the source of these messages. Over the past 10 days, Symantec has observed at least 100,000 of these messages being sent per day, not including messages dropped at connection time from known infected machines.

The bad news for spammers is that even if their message does get through anti-spam filters, a lot of people will not see the advertisement—definitely reducing the click-through rates and thereby the profit.