Thursday, March 22, 2012

Increase in Hit & Run Spam

During the past two weeks, Symantec has observed an increase in hit & run spam activities (also known as snowshoe spam) in its Global Intelligence Network. Hit & run spam messages have the following characteristics:

    Usually originates from IP ranges with neutral reputation
    Uses a large IP range to dilute the amount of spam sent from each IP address
    Contains features (such as Subject line, From line, and URLs) which change quickly
    URL is the call-to-action
    Often uses large quantity of “throw-away” domains in a single spam campaign

In addition to above, there were also hit & run messages promoting the following products or services:

    Auto warranty
    Satellite TV
    Learning new language
    Floral products
    Auto loan
    Free credit reports
    Online dating service
    Work-at-home opportunities
    LASIK service

The spammer uses varying subject lines to offer the same type of product or service. For example, here is a list of sample subject lines offering a hair loss product:

Subject: Finally a hair solution that works for Women
Subject: Attention Women: Get fuller hair risk free
Subject: See the latest trick for thinning hair
Subject: Try the newest solution to regrow hair. Risk Free
Subject: See how celebs get fuller thicker hair
Subject: Attention Women: See the latest trick to restore hair

In addition, some spammers insert hyphens at random locations to further increase their chances of successfully delivering the spam message.  Here is a list of sample subject lines offering home security:

Subject: [BRAND NAME REMOVED] De-aler $99 Install He-re to help Pro-tect You
Subject: [BRAND NAME REMOVED] monitored and Dea-ler installed
Subject: [BRAND NAME REMOVED] De-aler Installed se-curity sy-stem $99
Subject: [BRAND NAME REMOVED] De-aler Fr-ee Sys-tem Of-fer
Subject: [BRAND NAME REMOVED] Home Security is #1- Fr-ee Security Sy-stem!
Subject: [BRAND NAME REMOVED] is #1 This De-aler has a $99 Install
Subject: [BRAND NAME REMOVED] monitored se-curity from Top De-aler $99 install
Subject: [BRAND NAME REMOVED] can help pro-tect your home in 2012
Subject: [BRAND NAME REMOVED] Auth De-aler $99 install with Fr-ee S-ystem
Subject: [BRAND NAME REMOVED] De-aler $99 Of-fer Dont settle for le-ss

While the presence of URLs is not the only condition to make the message qualify as hit & run spam, the chart below shows the percentage of spam messages containing an URL increasing during the past week:



By Eric Park
Posted by Nitro IT Business Solutions at 3:06 PM