Spam messages with empty bodies are often associated with “directory harvest attacks,” which is a spamming technique where email servers are bombarded with thousands of emails in the hope of discovering the valid ones; or it may be that the call to action is entirely contained in the subject line (as is described here). In recent weeks Symantec has been observing a different type of blank-body spam attack.
In these attacks, when the message arrives on the end-user’s machine, the “subject,” “from” line, “to” line, and “body” are all completely blank. If the full message headers are examined, a typical pharmaceutical spam advertisement can been seen in the message headers, along with the content headers from the data stage of the SMTP conversation, as shown below.
Symantec has observed at least two major social networking sites being spoofed in spam attacks this week. The spam is likely hitching a ride on the back of a recent phishing scam, as discussed on our Norton Protection Blog. The spam emails appear to be official notifications from the social networking sites, with identical subject line formats. The headers of the messages, such as message ID, received lines, and even the custom X-headers have been carefully crafted to closely mimic a legitimate email as closely as possible.
The lure of the emails is the promise of a free mobile phone. There are two different attack vectors being used. In the first variation the user is invited to click directly on a link in the email. In some cases, a free blogging site is used as an intermediary to...
In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November.
As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to...
