Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Messaging Gateway
Showing posts in English
Eric Park | 03 Mar 2011 20:34:12 GMT

In this blog published in January, we followed-up on the spam volume saga as the Rustock botnet returned to action on January 10. At the time, it looked like the holidays were over for spammers. Did the prediction hold up?

Yes, as it turns out. Over the following six weeks, the global spam volume has remained more or less flat. Towards the end of February however, it is showing a bit of a decline.

A similar pattern can be seen for the global spam percentage:

Even though the spam volume has somewhat recovered, it is nowhere near what it was one year ago. This chart shows the global spam volume in the month of February in 2010 and 2011:

Suyog Sainkar | 03 Mar 2011 20:09:12 GMT

Spammers often use a variety of obfuscation methods in an attempt to bypass anti-spam filters. We did some follow up analysis on a recent dating spam attack in which the spammers made use of URLs in the message body with spaces inserted in between characters in the URL. Although this obfuscation technique has been much used in the past, it has not been as prevalent in recent times. This particular spam attack was active during the last week of January and lasted until the first week of February, 2011. Approximately 12,000 spam messages were observed in this attack.

The subject and message body in this spam attack were randomized in addition to the URL obfuscation.

Sample subject line variations observed in this attack are:

Subject: Svetlana Martyushova appeared in the chat

Subject: Tatyana Zhivkova - waiting on you

Subject: Kazak Avrora thinks...

Mathew Maniyara | 01 Mar 2011 14:13:39 GMT

On February 22, 2011, a massive 6.3 magnitude earthquake devastated the New Zealand city of Christchurch. As per the official reports, the death toll has reached 75—a number that may yet increase. Thousands of people in New Zealand have lost their homes and search operations are still in progress. Fraudsters, as usual, are taking advantage of this by sending spam mails that request donations. In January, phishers had used the same ploy of asking for fake donations for victims of the Serrana floods.


The phishing site spoofed the Red Cross website for New Zealand and requested help from end users. Firstly, the phishing site gave details of the earthquake, highlighting the extent of the damage in the city...

Samir_Patil | 23 Feb 2011 13:51:47 GMT

The Tunisian wave has captured the minds of people across the Middle East region. What is surprising to note is the creative use of the Internet in discussing such sensitive issues. The unrest in Tunisia has "tsunamied" into a mass movement straight at the heart of the Arab world. Egypt, with the ousting of President Hosni Mubarak, has become ground zero of this wave. But, as this movement gains momentum and spreads, there are many waiting to misuse this space—as demonstrated in the sample discussed below.

In this typical 419 scam message, the scammer masquerades as the erstwhile President Hosni Mubarak. A handsome proposal, considering the (bogus) bonanza of a 30% handling fee to be given to the one who cooperates in siphoning his booty out of Egypt. Further, because of the urgency of the situation, one is required to give "full contact information" as well...

Amanda Grady | 22 Feb 2011 19:38:38 GMT

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam report for similar attacks)....

Samir_Patil | 18 Feb 2011 14:47:28 GMT

In the United States, Presidents' Day is celebrated on the third Monday of February to honor two of America’s greatest presidents, Abraham Lincoln and George Washington. This year, Presidents' Day will be celebrated on February 21. Recently, Symantec has observed spam attacks leveraging Presidents' Day and has seen attempts to exploit the "groups" function of a social networking site.

The samples shown below are screenshots of one such group from a social networking website. The group is quite obviously trying to exploit the Presidents' Day event:

The group description “MEGA SPAM!... Spam YOUR A TOOL! on your messages” [sic] is an attempt to inspire group members to start...

Eric Park | 11 Feb 2011 12:21:34 GMT

The global spam volume, which has been the discussion topic for several months, appears to have finally stopped its decline. The month-over-month global spam volume was down in January again, but this was mostly due to the Rustock botnet shutdown, seen for the first 10 days of the year. We expect to see a month-over-month increase in spam volume in February, which will be a first since August 2010. Overall, spam made up 79.55% of all messages in January, compared with 81.69% in December.  

To find out more, click here the February 2011 State of Spam & Phishing Report, which highlights the following trends:

•    Conclusion of Spam Volume Saga
•    Turmoil in Egypt Shuts Down the Spammers
•    Scammers Seek Support for Serrana Flood Victims

Samir_Patil | 09 Feb 2011 15:47:32 GMT

The domain .РФ (.rf) is the internationalized domain name (IDN) for domains registered under the Russian Federation. The .rf top-level domain (TLD) became operational on May 13, 2010, and was officially opened up for public registration on November 11, 2010. The traditional country code top-level domain (ccTLD) for Russia is .ru. In recent times, we have been observing a considerable amount of spam emanating from the .ru TLD. With .rf domains becoming available for public use, spammers will now have a new lease of life.

Let's delve a little deeper into what TLD means to Russia. рф (Российская Федерация) is transliterated as “Rossiyskaya Federatsiya”, i.e. the Russian Federation. The domain has an ASCII representation of xn--p1ai, derived as punycode for use in the domain name system (DNS). It is intended for...

Samir_Patil | 07 Feb 2011 23:39:45 GMT

The most awaited tournament for cricket lovers, the ICC World Cup 2011, begins on February 19, 2011. The ICC World Cup is being played in the Indian subcontinent, and the country’s cricket-crazy population is all set to get hold of World Cup tickets in every possible way—all to witness and experience live international cricket in action. Since this is a hugely followed international sporting event across the world, Symantec has anticipated spam attacks and other Internet threats related to the event. As expected, we are observing World Cup spam in the Symantec Probe Network.

The spam message invites users to attend the final game of World Cup 2011 in Mumbai, India. The invite offers multiple executive club facilities such as a private table, a gourmet champagne brunch, and much more for 10 guests. This may sound like an attractive deal; however, it is simply bait for Internet users/cricket fans who are keen to be a part of the World Cup Final and experience the...

Shravan Shashikant | 02 Feb 2011 18:55:33 GMT

The events in Egypt over the past few days have captured the attention of people around the world. As history unravels in Egypt, there have been attempts to cut down on all communications. We’ve been tracking the spam output originating from Egypt in our systems over the past few days.

As also reported by Arbor networks, around 2:00 pm on January 27 we started noticing a fall in spam traffic from Egypt. When we look at a city-level breakdown, it appears that traffic from Cairo was affected immediately. Traffic from Giza seemed to continue for a few more hours, albeit at spotty levels, and eventually dropped off around midnight Pacific Time:

Since then, traffic from Egypt has been eerily silent...