Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Dylan Morss | 20 Dec 2008 00:26:04 GMT | 0 comments

After the shutdown of McColo, which was aiding the distribution of about half of all spam on the internet globally, spam volumes dropped. However, since mid-November, spam volumes have been slowly inching their way back up as old botnets are being brought back online and potential new botnets are being created.

At this point, spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels (when reviewing daily averages):

 

 

The types of spam being seen in new attacks are similar to what was being sent around the Internet prior to the shutdown. The spam messages can be categorized into the following groups:

  • Replica watches
  • Generic pharmacy
  • Erectile dysfunction drugs
  • Weight loss
  • Software

The spam is being sent from various countries...

Mayur Kulkarni | 18 Dec 2008 15:37:59 GMT | 0 comments

Spammers always try to come up with new tricks to bypass antispam filters. This time, they have shown an ability to partly (or sometimes completely) hide essential headers, ruling filters on headers out of picture. Except for the "Received" lines, we do not find any headers in the message.

 

Analyzing the samples, we see very few SMTP commands before the actual message. We think that spammers may be using a slamming technique where all of the SMTP commands necessary to transmit an email message to another mail server are fired without waiting for the normal SMTP responses from the remote machine. Most of the time the remote server will end up accepting the message, although this clearly disobeys SMTP behavior as per various Internet standards. Slamming is primarily done to send unsolicited emails as rapidly as possible or, in this case possibly to hide all of the headers.

 

...

Mayur Kulkarni | 18 Dec 2008 15:31:21 GMT | 0 comments

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can be employed to make your...

Dermot Harnett | 11 Dec 2008 15:13:13 GMT | 0 comments

Webmail phishing was first reported earlier this year, but it has gained a higher profile in recent times. The call to action or general purpose of this attack is to obtain webmail credentials such as passwords and contact list email addresses. A number of different scenarios have been employed by webmail phishers to try and secure this information and have included:

Scenario 1

“We write to bring to your notice that we will be caring out some temporary maintenance on our service due to congestion in all email accounts and we are afraid that during this process email accounts of our customers will be deactivated; but just to avoid your email account from been deactivated and to enable your records remain in our database we advice you provide us with the below information or your email account will be suspended within 48 hours for security reasons.” (sic)

Scenario 2

...

Dermot Harnett | 09 Dec 2008 21:56:57 GMT | 0 comments

November 2008—what a month! A new U.S. president is elected and spam volumes drop significantly as a hosting company called McColo is shutdown. While both these events were generally welcomed, the new President and the antispam community continue to face tough obstacles in the year ahead.

On November 11, 2008, McColo-hosted systems were shut down based on abuse complaints. As a result, spam volumes dropped dramatically across the world. The Symantec probe network saw a 65 percent drop in traffic when compared to the 24 hours before the McColo.com shutdown. As November drew to a close, Symantec saw that spam volumes have had various upward spikes and are again creeping upwards. These spikes indicate that a return to normal spam activity is in the works. While the profit motive behind spam continues to exist, spammers will regroup to drive new spam campaigns.

While the McColo shutdown may have brought some cheer to email users during this holiday season, spammers...

Mayur Kulkarni | 02 Dec 2008 17:20:03 GMT | 0 comments

India recently suffered a shocking terrorist attack, with hostage situations in Mumbai involving Indian nationals as well as tourists and travelers from all over the world. Updates on the terrorists’ activity are still being followed closely. Sadly, spammers would never want to miss the chance to capitalize on the fast-spreading news of this tragic incident, using the headlines for their fraudulent emails with product advertisements or malicious links/attachments. Symantec has come across spam messages showing news headlines regarding the Mumbai terror, but the content inside is completely unrelated and is advertising pills.

 

In the past, we have seen similar methods being used, where topical news headlines are used to lure recipients into opening unsolicited emails. Users are advised not to click on links found in such spam emails. Be wary of...

Amanda Grady | 28 Nov 2008 18:17:57 GMT | 0 comments

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November. 

 

As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of...

Mayur Kulkarni | 26 Nov 2008 21:15:22 GMT | 0 comments

You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.

 

Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.

Sample headers in English:

Subject: Vacancy! –cB
Subject: New Proposal! –aAzs

Sample headers in Italian:

Subject...

Dylan Morss | 24 Nov 2008 23:45:04 GMT | 0 comments

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “...

Dermot Harnett | 19 Nov 2008 17:21:14 GMT | 0 comments

January to March is traditionally the time when taxpayers in the U.S. become reacquainted with their tax advisers as the mid-April “tax day” deadline looms. Unfortunately, this period has also become a time when phishing directed towards the IRS becomes more prevalent. As reported in the Symantec State of Spam report for April 2008, spammers continued to attempt to disguise themselves as the IRS, dangling an offer of a tax refund to unwitting recipients.
 
Imagine our surprise when we observed a phishing attack using the IRS brand in November—nearly five months before the next deadline for individual taxpayers. This phishing email indicated that the recipient was eligible to receive a tax refund and directed them to a website where the refund would be processed. The fraudulent site, branded with the IRS logo, is being used as a collection tool for credit card and other personal information.

The spam attack could be trying to take advantage of...