Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Unexpected – A Spin-Off of the "Tricky New Spam Tactic"

Created: 08 Feb 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:52:45 GMT
Kelly Conley's picture
0 0 Votes
Login to vote

I just received a legitimate e-newsletter from a science gadget company. I'm reading along about robotic arms and hands and the use of these objects in operating rooms. I'm immersed in this email. It's pretty interesting stuff. To imagine the steps that we've made with science and technology in the past 50 years or less, is truly mind boggling. Then I get to the end. Or not.

There it is. A URL. Why is it there and where does it lead? It must have something to do with scientific gadgets. Does it take me back to the main Web site? Does it take me to another reference of robotic use in operating rooms? It isn’t the opt-out, because that URL is just above this one.

I click and it doesn't take me anywhere that I would have guessed. In fact, it is not related to science or technology at all. The URL takes me to an adult-related meds site. What is the correlation? Is there supposed to be one between readers of science newsletters and viagra? I have no idea what the connection is, if any, but it is starting to feel familiar. Random URL at the bottom of a legitimate e-newsletter. Ring any bells? It does for me. I suddenly realize that while I thought I was reading a legitimate newsletter, I was actually reading a hi-jacked newsletter; one that had been turned into spam.

This is a new spin on a tricky spam tactic that I discussed in a blog in December. Spammers had found a way to take a legitimate-looking email ad and embed an image for an ad of their own. When you looked at the opened email, you saw the spam ad followed by a replica of the real ad. In this new technique, instead of an image, spammers are inserting a URL at the bottom of a legitimate newsletter.

The other obvious difference is that with the original incarnation of this technique the headers had looked authentic. This acted to assure the readers that the message was coming from a legitimate source. What we are seeing now, is that the headers look randomized and, therefore, not legitimate. With this technique, there is nothing about the headers that would encourage an average reader to open and view the email. From the headers alone, most people would have no idea that there was a newsletter inside. Which makes me wonder, why do it?

While the previous technique was pretty sneaky, this one is a step back in sophistication. The headers do not look legitimate and the tiny URL at the bottom of the newsletter may be easily overlooked. One possible reason for this tactical change is that the spammer is banking on anti-spam filters creating false positives on these messages. This isn’t the case for us. We can still block this variant without false positive risk. What will they think of next? Whatever it is, we’ll be ready.