Spam Evolution: April 2008

Spam in mail traffic averaged 86.2% in April 2008. A low of 68.6% was recorded on 28 April, while a high of 93.9% occurred on 9 April. The share of graphical spam declined considerably in April compared to March and was only 13%.

In April the top five leading spam categories remained unchanged from the previous month:

1. Medications, health-related goods and services (16.4%)
2. Education (15.6%)
3. Fake designer watches (11.6%)
4. Travel and tourism (9.8%)
5. Computers and the Internet (4.3%)

The Medications, health-related goods and services category maintained its leading position. The lion’s share of spam in this category is English-language adverts for viagra, which is so popular because no prescription is required to buy it (viagra is classified as a prescription drug in a number of countries). In Russia, however, viagra is freely available at any drug store, so Russian-language adverts for it are rare.

An interesting new trend in April, therefore, was the appearance of Russian-language spam advertising viagra. The text of the message was translated from an English-language version. The site mentioned in the advertisement by the spammers included the caveat “Generic viagra for sale here”, which continued: “exact copy of the world’s most famous medication for male erectile dysfunction”. The fact that Russian consumers are only really attracted by low prices meant the mailing was short-lived.

A Russian-language advert for viagra. The body of the text is interspersed with full stops that break up the individual words.

As the school year draws to an end, spammers actively exploited the theme of school leaving exams and higher education entry exams, keeping the Education category in second place. Another popular theme was the option of avoiding entry exams altogether.

According to Russian legislation, the results of school-leaving exams are only valid for a year. Entering a higher educational institution after that period means the exams have to be passed once again. The advert above offers a way of avoiding repeat exams: a certificate with the required pass results can be obtained by simply signing up for a distance-learning course and paying a “fee”. Those interested in the offer are told to hurry and apply before June 10, 2008, and also to tell their friends.

Spam messages offering fake designer goods remained in third place. The sale of replica goods also took on an unexpected “political” slant. In the run up to the inauguration of Russia’s new president, spam messages started offering “A watch like Putin’s”. A cheap copy of the outgoing president’s chronometer was not the only thing on offer: lots of other goods of a similar “quality” were also available.

Translation:

More and more spam with offers to pay for goods and services via SMS messages sent to short numbers is appearing on the Russian Internet. Even if the spam message states that the SMS is free of charge, it doesn’t mean it actually is. There is also no guarantee that the user will get what he wanted and that his money won’t just end up lining the pocket of a cybercriminal.

Spammers continue to use Mail.ru logos to make their messages look more respectable. The message below deliberately promotes a dating service because it entails further communication and new contacts. These types of messages usually include an attractive photo, and only mention further down the page that you have to pay to communicate. The very fact that the service is not free should arouse suspicion.

Вам оставлено сообщение на мобильном портале Mail.ru, пользователем Для прочтения сообщения, отправьте смс со словом tt456734 на номер 4449 Услуга доступна для жителей РФ и граждан СНГ, стоимость услуги 0.3$ + НДС) Сообщение отправлено 26.04.2008 Спасибо за то, что Вы являетесь пользователем Mail.Ru. С уважением, администрация Mail.Ru (1518450363)

Translation:

Today, even the financial pyramid schemes that used to offer the opportunity of huge online earnings only send out information after receiving an SMS message. For the cost of an outgoing message (5 rubles, or about 20 cents) the user contributes to a business named MLM. It goes without saying that a spammer who promises the recipient “earnings” with no initial investment can hardly be trusted.

Translation:

On the eve of the 30th anniversary marking the first spam message sent via email, users were being offered equipment not only for sending spam but also to protect against it.

Sympathetic-sounding mass mailings with the theme “Tired of spam? Call us!!!” promoted nothing other than anti-spam and antivirus products from the German company Avira. It is unclear whether this was just another case of black PR, or the Russian representatives of Avira using unorthodox methods to advertise the services of Avira’s dealers in Russia.

In April, Russian-language spam promoting anti-virus products added to the usual English-language advertisements for very cheap software. The main difference was that the Russian-language spam was offering the programs for free.

Users should be particularly careful when downloading “antivirus” files from unknown sources, because they may turn out to be malicious programs.

If earlier spammers offered the option of unsubscribing from unsolicited mailings, the latest trick is the option of unsubscribing by phone. This method is hardly likely to eradicate spam, and if anything will ensure it continues: by phoning, a user is merely confirming an email account is active and ensures that the address remains in illegitimate mailing databases.

In order to bypass filtration systems, spammers are willing to modify texts to such an extent that they become unreadable. The flow of spam in April was marked by a wave of messages containing heavily disguised telephone numbers. As seen from the example below, the figures are interspersed with letters, which change from message to message. This method did not gain popularity, however, because only those really interested in the topic would be patient enough to work out the exact telephone number. By the end of the month the technique had already disappeared from the flow of spam.

Translation:

One new method of obfuscating text is to replace random letters in links with special UTF codes. Each letter in the UTF code corresponds to a certain set of symbols. When sending messages containing one and the same link, spammers replace different letters with codes in each individual message. Because spam filters work with the original message, they do not recognize the link and, subsequently, that the messages belong to the same mass mailing. A mail client then coverts the codes into the corresponding letters meaning the user never notices any of the changes made.

How the original message looks

The message that the recipient sees

Russian-language mailings advertising sites in the .tk domain zone, which belongs to Tokelau, have resumed. Spammers use this free registration zone to create a large number of duplicate pages, thus increasing the chances of evading anti-spam systems.

Two links that lead to the same Russian-language site selling DVDs of popular films which have been re-dubbed with humorous voiceovers.

April once again saw spammers sending pictures that contained text positioned at various angles (see below), which was meant to prevent such images from being detected.

In a variation of this technique, spammers also sent several mass mailings containing pictures with handwritten text in an attempt to bypass spam detectors.

An image with a handwritten message offering an SMS message service that allows the sender’s number to be masked, making the message look as though it is from another number.

In the first instance it is easy to read the text of the message, though the second picture may pose problems not only for spam filters but also those not used to reading handwriting.

With the approach of the summer holiday season, the amount of spam in mail traffic is declining, and the trend looks set to continue into the summer. However, the fact that spammers are continuing to search for new technologies that bypass anti-spam filters suggests that it will only be a seasonal decline. Moreover, the criminal element in spam is becoming more prevalent, which in turn attracts those who want to profit illegally and further contributes to the criminalization of spam. Unfortunately, the chances of spammers calling a “ceasefire” or “capitulating” in the war on spam are highly unlikely.

1. The amount of spam in mail traffic fell compared to March’s (https://securelist.com/spam-evolution-march-2008/36210/) figure and averaged 86.2%.
2. 0.76% of messages contained malicious files and links to infected web sites.
3. 1.3% of messages contained links to phishing sites.
4. The amount of spam containing graphical attachments fell considerably compared to March’s figure and accounted for just 13% of spam.
5. The amount of unsolicited mass mailings containing offers to pay for services via SMS messages increased.
6. Spammers used special codes to mask messages.
7. Spam containing links to advertising sites in the .tk domain zone resumed