In recent months, we have observed different types of legitimate newsletter templates used in pharmacy spam attacks. In order to get users to open these email messages, spammers need to ensure that the subject line (entry point) is always enticing and that the content looks legitimate. So much so that a user may open these emails right away without confirming the sender information. We start with "discount special" subject lines. These lines are constructed using different combinations of words such as pharmacy, men, health, dear, and sale. These words are usually followed with some discount value (always more than 70 percent). The latest inclusion to the list is one that ends with a country name such as United States, Bulgaria, or Columbia. We have provided some examples of subject lines made with these words (the positions of the words change): Dear [email address] [date and time with time zone] 80% 0FF on [pharmaceutical company]. RE: Pharmacy Online Sale 82% OFF! SALE 73% OFF on [pharmaceutical company]! RE: UK Pharmacy Online Sale 80% OFF! Dear [email address] 78% 0FF on [pharmaceutical company] ! Dear [email address] 82% 0FF on Pharmacy. USA Discount 70% OFF on [pharmaceutical company]! RE: Pharmacy Online Sale 83% OFF! united states Re: Order status bulgaria Re: Order status colombia Spammers also depend on day-to-day utilized subject lines. These are normal lines that the users receive during their daily routine and may not bother to inspect the sender information. However, spammers will also go for sensational subject lines (similar lines have also been associated with virus attacks in the past): India began a 3rd WW! Hot! 100 Jackson's fans died Bill Gates made his virus! Is Kobe Bryant a rapist? Presidental shame! Jolie leaved children! Breathtaking spec-ops videos Spammers spoof the sending address with a random email or a user’s own email address. Even if a subject line looks normal, or sometimes a bit attractive (discount-related or sensational), we recommend that users should always examine the sender's address before opening unsolicited email.