How to Troubleshoot Apps for the Modern Connected Worker
Spam Report Gennaio 2010
1. January 2010 Report #37
Notable highlights from December 2009 include the shift in the region of spam message origin
and changes in the average size of spam messages. In recent months, APJ and South America
have been taking spam share away from the traditional leaders of North America and EMEA.
However, North America and EMEA together sent 57 percent of spam messages in December
2009, compared with 50 percent in November 2009.
With respect to the average size of the messages, the 2kb- 5kb message size category increased
by 7 percent points, while the 5kb-10kb message size category decreased by 6 percent points in
December 2009. This change corresponds with a decrease in attachment spam. Attachment
spam averaged at 4.48 percent in December 2009, compared with 5.28 percent in November
2009. With respect to all spam categories, health and product spam have increased, and now
account for 52 percent of all spam messages.
The following trends are highlighted in the January 2010 report:
Xmas Card, Loaded with Malware
Your Bank Has Declared Bankruptcy
Pills From Amazon?
December 2009: Spam Subject Line Analysis
“Dotted Quad” Spam Shows Sign of Eruption
Andy Lau Talks Chinese Invoice Spam
Dylan Morss Eric Park Sagar Desai
Executive Editor Editor PR contact
Antispam Engineering Antispam Engineering sagar_desai@symantec.com
2. Xmas Card, Loaded with Malware
Last month’s State of Spam Report highlighted top seasonal subject lines as the holidays ap-
proached. Once again, Symantec researchers have monitored the typical holiday spam, rang-
ing from replica goods and online pharmacy products to Nigerian-type scams. It was interest-
ing to see a spam message pretending to be a holiday greeting card from a financial institu-
tion.
It is also important to note that this spam message can be easily changed into a phishing/fraud
message. This could be accomplished by making minor changes to the email message source.
3. Your Bank Has Declared Bankruptcy
Due to current recession, the FDIC (Federal Deposit Insurance Corporation) has closed many
failed banks. By mid-December, there were 140 banks in 2009 closed by the FDIC. Given the
amount of press coverage such news garners in the media, it is no surprise that spammers are
taking advantage of this trend for their benefit.
In the example above, spammers are claiming that the bank has declared bankruptcy. When
the user clicks on the provided link to “learn how to save money,” Trojan.Pidief tries to install
itself on the machine.
Symantec advises users to check reliable news outlets as well as the official FDIC website to
determine whether the banks indeed have been taken over by the government. As this exam-
ple shows, spammers continue to look for ways to increase the chances of their messages be-
ing opened by users. Symantec expects such techniques to continue in 2010.
4. Pills from Amazon?
Spammers have been taking advantage of various “freeweb” services in an effort to bypass
filters. Some have used URL shortening services to mask the true destination URL while others
have abused a variety of social networking sites/tools by creating a profile that is really a spam
campaign.
While Symantec researchers have monitored spam which purported to be from Amazon, this
particular spam message was different in that the spammer actually created an account on the
retailer’s website. Then, the spammer sent the message via Amazon’s email system with its
links.
When users click on the link provided in the message, they are directed to the Amazon web-
site.
5. December 2009: Spam Subject Line Analysis
In December 2009, the top ten subject lines used by spammers were dominated by a mixture
of Nigerian type and online pharmacy spam. This correlates to doubling of “health” category
from 8 percent in November 2009 to 16 percent in December 2009. Meanwhile, NDR bounce
spam, which appeared on the previous month’s list, averaged at 1.28 percent of all spam
(accounted for 2.23 percent in November). Spam messages containing malware also fell, aver-
aging 0.32 percent of all spam messages (accounted for 1.35 percent in November).
6. “Dotted Quad” Spam Shows Signs of Eruption
Symantec researchers are observing an unusually large increase in volume of spam containing
hijacked IPs. Furthermore, review of spam with hijacked IPs indicates that one specific attack
was responsible for this volume change.
Spam messages with hijacked IPs more than tripled in December 2009, compared with the vol-
ume in November 2009. While this type of attack makes up a very small chunk of overall spam
messages, there were certain periods in December when “dotted quad” spam accounted for a
significant percentage. For example, such spam was over 25 percent of overall spam during
the hour of 6:00 am PST on December 24th.
Symantec researches investigated such spikes and found consistency among the spam mes-
sages. A particular spam attack leading users to online pharmacy sites was using hijacked IPs
in its campaign.
As always, users cannot be certain whether the medications are genuine, if they are even de-
livered in the first place. Worse, there is a high possibility that users who order through these
sites become victims of identity theft. Users are advised to consult with their doctors for their
health needs.
7. Andy Lau Talks Chinese Invoice Spam
While invoice spam makes up a large slice of Chinese spam, the message often contains plain
text-based advertisement (although the text may be an image). In this example below, spam-
mers are leveraging a celebrity’s status by using Andy Lau’s image.
Users should not be calling a number featured on spam for invoice, regardless of who is speaking.
8. Checklist: Protecting your business, your employees and your customers
Do
Unsubscribe from legitimate mailings that you no longer want to receive. When signing up
to receive mail, verify what additional items you are opting into at the same time. De-
select items you do not want to receive.
Be selective about the Web sites where you register your email address.
Avoid publishing your email address on the Internet. Consider alternate options – for ex-
ample, use a separate address when signing up for mailing lists, get multiple addresses for
multiple purposes, or look into disposable address services.
Using directions provided by your mail administrators report missed spam if you have an
option to do so.
Delete all spam.
Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed
websites. We suggest typing web addresses directly in to the browser rather than relying
upon links within your messages.
Always be sure that your operating system is up-to-date with the latest updates, and em-
ploy a comprehensive security suite. For details on Symantec’s offerings of protection visit
http://www.symantec.com.
Consider a reputable antispam solution to handle filtering across your entire organization
such as Symantec Brightmail messaging security family of solutions.
Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is
located here.
Do Not
Open unknown email attachments. These attachments could infect your computer.
Reply to spam. Typically the sender’s email address is forged, and replying may only result
in more spam.
Fill out forms in messages that ask for personal or financial information or passwords. A
reputable company is unlikely to ask for your personal details via email. When in doubt,
contact the company in question via an independent, trusted mechanism, such as a veri-
fied telephone number, or a known Internet address that you type into a new browser
window (do not click or cut and paste from a link in the message).
Buy products or services from spam messages.
Open spam messages.
Forward any virus warnings that you receive through email. These are often hoaxes.
9. Metrics Digest: Regions of Origin
Defined: Region of origin represents the percentage of spam messages reported coming from
certain regions and countries in the last 30 days.
10. Metrics Digest: URL TLD Distribution
Metrics Digest: Average Spam Message Size
Metrics Digest: Spam Attack Vectors
11. Metrics Digest: Global Spam Categories:
Internet Email attacks specifically offering or Fraud Email attacks that appear to be from a
advertising Internet or computer-related well-known company, but are not. Also known
goods and services. Examples: web hosting, as “brand spoofing” or “phishing,” these mes-
web design, spamware sages are often used to trick users into reveal-
Health Email attacks offering or advertising ing personal information such as E-mail ad-
health-related products and services. Exam- dress, financial information and passwords.
ples: pharmaceuticals, medical treatments, Examples: account notification, credit card
herbal remedies verification, billing updates
Leisure Email attacks offering or advertising 419 spam Email attacks is named after the
prizes, awards, or discounted leisure activities. section of the Nigerian penal code dealing
Examples: vacation offers, online casinos with fraud, and refers to spam email that typi-
Products Email attacks offering or advertising cally alerts an end user that they are entitled
general goods and services. Examples: devices, to a sum of money, by way of lottery, a retired
investigation services, clothing, makeup government official, lottery, new job or a
Financial Email attacks that contain refer- wealthy person that has that has passed away.
ences or offers related to money, the stock This is also sometimes referred to as advance
market or other financial “opportunities.” Ex- fee fraud.
amples: investments, credit reports, real es- Political Email attacks Messages advertising a
tate, loans political candidate’s campaign, offers to do-
nate money to a political party or political
Adult Email attacks containing or referring to products or services intended for persons above the
age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice