Video Screencast Help
Security Response
Showing posts tagged with Spam
Showing posts in English
Dermot Harnett | 08 Jan 2009 13:41:28 GMT | 0 comments

Happy New Year! At this time of year, personal and professional resolutions are often made. These resolutions are often broken within a few days, but it is clear that one resolution will not be broken in 2009. Spam levels are slowly creeping back up to their pre-McColo shutdown levels and spammers have come back fighting. You may remember that on November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. However, recent statistics indicate that spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels.
In recent days, Symantec has also observed that spammers are continuing to piggyback on legitimate newsletters and using the reputation of major social networking sites to try and deliver spam messages into recipients’ inboxes. The social networking spam messages were carefully crafted to closely mimic the legitimate notification emails often...

Amanda Grady | 07 Jan 2009 19:20:24 GMT | 0 comments

Symantec has observed at least two major social networking sites being spoofed in spam attacks this week. The spam is likely hitching a ride on the back of a recent phishing scam, as discussed on our Norton Protection Blog. The spam emails appear to be official notifications from the social networking sites, with identical subject line formats. The headers of the messages, such as message ID, received lines, and even the custom X-headers have been carefully crafted to closely mimic a legitimate email as closely as possible.

The lure of the emails is the promise of a free mobile phone. There are two different attack vectors being used. In the first variation the user is invited to click directly on a link in the email. In some cases, a free blogging site is used as an intermediary to...

Dylan Morss | 20 Dec 2008 00:26:04 GMT | 0 comments

After the shutdown of McColo, which was aiding the distribution of about half of all spam on the internet globally, spam volumes dropped. However, since mid-November, spam volumes have been slowly inching their way back up as old botnets are being brought back online and potential new botnets are being created.

At this point, spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels (when reviewing daily averages):

The types of spam being seen in new attacks are similar to what was being sent around the Internet prior to the shutdown. The spam messages can be categorized into the following groups:

  • Replica watches
  • Generic pharmacy
  • Erectile dysfunction drugs
  • Weight loss
  • Software

The spam is being sent from various countries around the world and is...

Mayur Kulkarni | 18 Dec 2008 15:37:59 GMT | 0 comments

Spammers always try to come up with new tricks to bypass antispam filters. This time, they have shown an ability to partly (or sometimes completely) hide essential headers, ruling filters on headers out of picture. Except for the "Received" lines, we do not find any headers in the message.

Analyzing the samples, we see very few SMTP commands before the actual message. We think that spammers may be using a slamming technique where all of the SMTP commands necessary to transmit an email message to another mail server are fired without waiting for the normal SMTP responses from the remote machine. Most of the time the remote server will end up accepting the message, although this clearly disobeys SMTP behavior as per various Internet standards. Slamming is primarily done to send unsolicited emails as rapidly as possible or, in this case possibly to hide all of the headers.


Mayur Kulkarni | 18 Dec 2008 15:31:21 GMT | 0 comments

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can be employed to make your...

Dermot Harnett | 11 Dec 2008 15:13:13 GMT | 0 comments

Webmail phishing was first reported earlier this year, but it has gained a higher profile in recent times. The call to action or general purpose of this attack is to obtain webmail credentials such as passwords and contact list email addresses. A number of different scenarios have been employed by webmail phishers to try and secure this information and have included:

Scenario 1

“We write to bring to your notice that we will be caring out some temporary maintenance on our service due to congestion in all email accounts and we are afraid that during this process email accounts of our customers will be deactivated; but just to avoid your email account from been deactivated and to enable your records remain in our database we advice you provide us with the below information or your email account will be suspended within 48 hours for security reasons.” (sic)

Scenario 2


Dermot Harnett | 09 Dec 2008 21:56:57 GMT | 0 comments

November 2008—what a month! A new U.S. president is elected and spam volumes drop significantly as a hosting company called McColo is shutdown. While both these events were generally welcomed, the new President and the antispam community continue to face tough obstacles in the year ahead.

On November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. The Symantec probe network saw a 65 percent drop in traffic when compared to the 24 hours before the shutdown. As November drew to a close, Symantec saw that spam volumes have had various upward spikes and are again creeping upwards. These spikes indicate that a return to normal spam activity is in the works. While the profit motive behind spam continues to exist, spammers will regroup to drive new spam campaigns.

While the McColo shutdown may have brought some cheer to email users during this holiday season, spammers...

Mayur Kulkarni | 02 Dec 2008 17:20:03 GMT | 0 comments

India recently suffered a shocking terrorist attack, with hostage situations in Mumbai involving Indian nationals as well as tourists and travelers from all over the world. Updates on the terrorists’ activity are still being followed closely. Sadly, spammers would never want to miss the chance to capitalize on the fast-spreading news of this tragic incident, using the headlines for their fraudulent emails with product advertisements or malicious links/attachments. Symantec has come across spam messages showing news headlines regarding the Mumbai terror, but the content inside is completely unrelated and is advertising pills.


In the past, we have seen similar methods being used, where topical news headlines are used to lure recipients into opening unsolicited emails. Users are advised not to click on links found in such spam emails. Be wary of...

Amanda Grady | 28 Nov 2008 18:17:57 GMT | 0 comments

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November. 


As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of...

Mayur Kulkarni | 26 Nov 2008 21:15:22 GMT | 0 comments

You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.

Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.

Sample headers in English:

Subject: Vacancy! –cB
Subject: New Proposal! –aAzs

Sample headers in Italian:

Subject: IL lavoro...