Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007. In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China. Some of the random filenames used are as follows: milksoppy.mp3 enwomb.mp3 realiser.mp3 escort.mp3 recarboniser.mp3 unlights.mp3 scathing.mp3 byproduct.mp3 lewes.mp3 micrometers.mp3 trowelled.mp3 Spammers use various versions of the Thunderbird user-agent and spoofed “From” headers. User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) Our analysis shows that the majority of these spam messages originated from Europe (81.5%), followed by South America (8.3%). Asia and North America each contributed just over 3%. As of now there are no malicious threats observed in this spam attack. However, Symantec recommends that users suppress any curiosity about this .mp3 file—definitely do not open it. Also, delete all suspicious/unsolicited email messages containing attachments.