The email itself looks like a completely normal message from CNN.com and some of the links in the email also go to CNN. Right now there is a similar attack in progress, although this time MSNBC.com (NBC’s and MSN’s news site) is used to mask the attack. Spam has flowed in since around 11am on Tuesday. The sites, which the spam messages link to, are most likely hijacked ones and the site owners are probably not yet aware that their sites contain malicious code.

Firefox and Internet Explorer 7 now include filters to block sites like these. However, it normally takes several days before a hijacked site has been reported to these filters. Until then, no warning will be displayed when surfing to these sites.

Don’t hesitate to contact us if you have any suggestions for improvements or have a request for additional statistics that you think we should add. Please send an e-mail to support@spamdrain.net.

Please note that the accuracy statistics is based on the spam you report back to us when SpamDrain makes a mistake. If a spam message slips through to your inbox you must report it to us (go to Report after you’ve logged in) or else it won’t be included in the statistics.

F-secure also reports about these spam messages on their blog.

Some examples:
Oil prices starting to DROP
Obama endorses herbal supplements
Tim Russert’s six scandal exposed at funeral
Nokia unveils revolutionary new phone design
Britney found hanged in locker room
Britney lingerie shoot
Britney in drug scandal in saint tropez
Portugal regrets not bringing herbal supplements

Spammers hope that we are more interested in the Britneys latest adventure than how their own fantastic products can help us.

More interesting than discussing whether spam messages are blocked or not, is if this arrest will decrease the spam traffic in the world. One million computers are a lot of potential spam sources. On the other hand, the hijacked computers are most likely still hijacked and open for other hackers even though the persons arrested are the ones who control them. Hence they are the ones who know where the computers are located and how to send tasks for them to perform. Such a task could be sending a bunch of spam. In other words, it may be hard for other people to instantly take to same level of control over the botnet as the people now arrested used to have.

On the other hand, you may wonder if the arrested hackers are the only ones controlling the botnet. If not - it will most likely soon be up and running again as normal.

So will the spam traffic be reduced? We will certainly keep our eyes on our statistics for the next couple of weeks even though I suspect that this arrest will have little impact on the over all amount of spam being sent. I don’t know why but that’s a feeling I have. Spammers seem to find their way around most obstacles - except SpamDrain, that is…;-)

More information about the spam filtering service SpamDrain.

Clicking such a link is identical to manually entering a search query on Google and clicking the “I’m feeling lucky” button. Google will run the query and automatically redirect your web browser to the top most result matching that query. For a spammer this is quite easily exploited. All he needs to do is to construct a Google query which returns the spammer’s site at the top of the result. One way to achieve this is using Google’s inurl search operator. E.g. inurl:E87ABD4CB56 will only return pages which contain E87ABD4CB56 in the address. It shouldn’t be hard for the spammer to come up with something unique.

So why would a spammer do this? Well, some spam filters use addresses in e-mails to determine if they are spam or not. By using Google addresses, some spam filters could get confused because Google is usually a trusted site. For a spam filter which only cares about the host name in the addresses (i.e. www.google.com) this could be a problem. Other spam filters, which look at the entire address, shouldn’t be affected by this trick.

For those of you who aren’t familiar with the term, pump and dump refers to a specific type of stock fraud. Typically the spammer will acquire stock in a small company for a low price and then send out large amounts of spam messages trying to fool the recipients into investing in the company. In the message, the spammer will claim to have inside information about some new development within the company, something which will make the company’s stock go through the roof.

The information is of course nothing but lies. As soon as you and the other victims start to buy the stock and the price goes up the spammer will sell his shares for a profit. The stock price plummets and you will never be able to get back all of your money.

Today I got one of these pump and dump spam that looked really strange. Here’s the actual text of the message:

Don’;t let A=CGU pas+s, Gr;ab it Mon.da+y

A.SSET CAPI+TA,L GP I=NC.
ACG=U
$1.-15

ACG=U Ass.et Cap;it,al Gr;ou.p, In*c. wil=l fo*cus u=pon l+oca-ti=ng
and i-nvesti-n,g in sma.l,l, p*r-o=f-itable e+nte-r=pri=ses w*ith
pr+om+is.ing g,r,owth po.t;en+tia.l. The Co=m.pany i-ntend.s to in=ve.st
in co-mpa=n;ies in a wi.de ra.nge of c+at,e,g*ories, i.n-cl=uding
m;anu-fac.tu*ri*ng-, envi;ronm;e;n=ta-l cl,e*an-u*p, f*in+an.cial se-r.vice,s
and oth+er are=a=s, th+is co;mp-any is go,ing to e+x+plo*de.

ACG+U ACG+U A*CGU A+CGU A+CGU

Get on AC=GU f=irst thi,ng M-onda-y!

A*SSET CA-P;ITAL GP IN-C.
A+CGU
$1.1-5

H+URRY ca=ll y*our Br+oke;r Now !!!

Hug.e PR c=ampai.g;n unde.rw+a*y now and its ti;me for you
to get in now and ri,de thi*s wa.ve earl+y to pr-ofi*t.

for the removal of cancer, the recurrent nodules make their appearance in
the main scar or in the scars of stitches in its neighbourhood. In the
lower animals the grafting of cancer only succeeds in animals of the same
species for example, a cancer taken from a mouse will not grow in the
tissues of a rat, but only in a mouse of the same variety as that from
which the graft was taken. While cancer cannot be regarded as either
contagious or infectious, it is important to bear in mind the possibility
–
scatterling

While one could argue that anyone not getting suspicious about an e-mail like this one deserves getting ripped off, distorting the text like this is actually a quite common trick use by spammers to try to avoid getting blocked by filters.

The readable text at the end is meant to further confuse spam filters. The spammer usually pastes some text which has no relevance to the rest of the message in an attempt to lower the “spaminess” of the message. This particular text appears to have been copied from “Manual of Surgery
Volume First: General Surgery” by Alexis Thomson and Alexander Miles published in the early 20th century. The book is available online through Project Gutenberg.

Here’s the deciphered version of this message:

Don’t let ACGU pass, Grab it Monday

ASSET CAPITAL GP INC.
ACGU
$1.15

ACGU Asset Capital Group, Inc. will focus upon locating
and investing in small, profitable enterprises with
promising growth potential. The Company intends to invest
in companies in a wide range of categories, including
manufacturing, environmental cleanup, financial services
and other areas, this company is going to explode.

ACGU ACGU ACGU ACGU ACGU

Get on ACGU first thing Monday!

ASSET CAPITAL GP INC.
ACGU
$1.15

HURRY call your Broker Now !!!

Huge PR campaign underway now and its time for you
to get in now and ride this wave early to profit.

At least this spammer knows how to speak corporate bullshit!

By the way, this spam was no match for SpamDrain. SpamDrain vs. spammers: 1-0.

SpamDrain for domains provides domain level filtering for companies and individuals with their own domain and uses the same smart filtering as the current POP3 version. All e-mail is filtered before it reaches the domain’s original e-mail servers. This means that web mail and other services work as usual and no changes to the users’ e-mail program settings are required.

As of today the beta testing is finished and SpamDrain for domains is released for production use. To start using SpamDrain for domains, please click the link below and follow the instructions.

Sign up for a 30-day trial of SpamDrain for domains

Learn more about SpamDrain for domains