Saturday, November 15, 2008

Post McColo Spam - What do we see?

On the evening of November 11th, the McColo network was "de-peered" and lost access to the Internet. Since that time, those who have unfiltered spam sources are seeing a dramatic decrease in spam. At the UAB Spam Data Mine, on November 12th, November 13th, and November 14th, we had our three lightest spam days in the past year, with a three day daily average 65% below the previous 30 day daily average.

A shout out here to the guys at FireEye, who helped document why the Srizbi botnet was not able to come back online. Several people have said "I can't believe the criminals didn't have a backup plan coded into their bot!" Well, it turns out they did, as FireEye documented in their entry "100,000 Srizbi IPs detected in 24 hours". It turns out their were four unregistered domain names coded into the bots. When McColo's shutdown became imminent, someone (not sure right now if it was FireEye) registered the domains before the criminal could. As a result, FireEye is able to watch the Srizbi bots ATTEMPT to contact their backup, but since the criminals don't own those domains, the attempt fails, and the bots sit idle, wondering what to do next.

So what the the OTHER spammers doing in the meantime? Let's look at the spam we received on Thursday, November 13th at the UAB Spam Data Mine.

Its still primarily about pills. 56% of our spam falls into 6 spam groups - not sorted by Botnet, but by the "look and feel" of the spam, its email body, its subject lines, or its website hosting.

20% - My Canadian Pharmacy - Subjects = single word greeting
13% - Canadian Pharmacy - Subjects = price and quantity of pills
8% - Canadian Pharmacy - random mis-spelled words in body
6% - Canadian Pharmacy - MSN Featured Offers spam
6% - Penis Enlargement Patch
3% - Canadian Pharmacy - Hall of Shame

In addition to these there were six other Canadian Pharmacy spam groups, all tiny, a new "BigPRX" enlargement spam, and small campaigns for US Drugs and Canadian Health and Care Mall.

I'll share some details about all of them below.

Besides those, our other "large spam campaigns" are:

5% = Russian Chat Girlfriends and wives . . .
4% = call 1-305-390-0269 to get a diploma . . .

While no other spam groups comprised more than 1% of our spam on this day, I also wanted to note our two biggest malware items of the day:

United Postal Service tracking number malware . . .
Fake airline tickets malware . . .

The largest single campaign still spamming is for "MyCanadian Pharmacy". The My Canadian Pharmacy campaign accounted for 20% of all of our spam on November 13th!

The spam messages only contain a URL. No message of any type.

The only domains in this group were:

The subjects are also extremely simple:


There are at least nine distinct spam templates that are sending us Canadian Pharmacy spam.

13% of our spam comes from a Canadian Pharmacy Template H:

This campaign has spam subject lines which combine a pill name, a price, and a quantity of pills, randomly selected, like these:

$99.95 Viagra 100mg x 30 pills buy now
$129.95 Viagra 100mg x 60 pills price
buy now Viagra (Sildenafil) 100mg x 90 pills $159.95
Price for 50mg x 60 pills $2.00 per pill

The domain names in this group are:

The bodies of the emails follow the same template as the subjects . . . a random dose, quantity and price, followed by a URL, such as:

50mg x 60 pills US $ 2.00 Per Pill

8% of our spam comes from Canadian Pharmacy Template A:

In this email template, random words are mis-spelled throughout the email, but the basic message is the same:

If you are tired of ovërpaying for meds, and overpaying for visits to the Doctors -

If you need to get the prescriptiõn. fi|led without hassle and iinconvenience -

Here is your solution : the world's most trusted Ïnternett Önlinee Meds Stôre.

Carrying þopular meds at incredibly low príces, suchh as

- Magic Blue pill (from just $ 1) Via and Cia
- Soma (for your päin relïef) - from just $ 0.60
- Tramadol (for your pãin relief) - justt $ 2
- And thoûsands more differentt meds for all conditions

Recommendêd by Canadiann Health cãrè Professionals and by thousänds of satisfied cùstomers world wide

This template uses the domain names:

and the subject lines:

0nline Discount Pharmacy
A Licensed drug store, best meds online
Advantages of online pharmacies
Affordable Meds
Amazing and cheap online pharm
Best Pharmacy is dedicated to being your best resource for
buy cheap pharm drugs
Cheap Meds from USA
Compare and Save on Generic Meds ! Valium @ $25. Xanax
Convenient, discreet online pharmacy
Discount Internet Pharmacy - FREE Prescriptions Written
Drugs for confidents! Great offers
Find your medication in our internet Pharmacy
Forget the doctor, get meds online
Fw: Meds. Online, Valiu0m, Xana0x, Viagr0 and many more
Fwd: Get All Meds. Any Meds You Want Prescripts Written
Fwd: Order Anti-depressants, weight loss meds
Fwd: special meds for you
Internet Pharmacy - Cheap Prices
Licensed online pharmacy! Best prices
Look for 50% discounts on meds
Looking for Meds? Cheapest Pharm is Here
Meds approved by us approved doctors., Va|l|ium
New Internet Pharmacy
Offshore pharmacy, save huge on meds!
Online Pharmacy - Viagra, Xenical & More - Lowest
Online Pharmacy with all your prescription
Order Meds Direct NOW
Pharmacy - No doctor visits
Pharmacy - No prescription required
Save $$$ with our Internet Pharmacy
Save on Generic Meds! Xanax # $35. Valium
This low pricing on meds provided on our site.
Thousands of customers, meds online
Unbelievable Savings on Generic Meds!! Valium @ $25. Xanax
Verified You Ordered Meds
Want your love back?? Check it out
You can order Anti-depressants, weight loss meds,and pain

3% of emails were from Canadian Pharmacy Group B uses different emails which look like this:

What's your HALL of SHAME?

The fast way to solve your most embarassing aiments. Humiliating? Yes. Depressive? Yep. What to do? Visit our site for the most effective solution.

Top female problems and how to solve them.

If you ever been suffering from most known male problems and could not find a good soluion, or dont't like with your present results, visit our site to get the most up-to-date information on problems and the ways to treat them.

Make your way here & Save Today!

Domains in this group are:

Subjects in this group are:

10 secrets to good family night life.
7 intimate Relationship Problems and How to Solve Them
Dont let your tiny male problem grow into a disaster.
Dont turn your marriage into disaster, use male enhancers.
How to solve your everyday male problems
How to solve your marriage problems with enhancers.
If your wife became cold, light the fire in her again with female enhancers.
If your wife needs your attention, you can help her anytime.
IT is the modern, fastest and safest way to solve all your male problems.
Looking for ways to solve male, financial and family problems?
Secret to young-looking skin.
Solutions For Embarrassing Male Troubles.
Time to move to next level in your enhancing process.
Top males problems and ways to avoid and cure them.
You search for perfect xxxlife is over.

6% of our spam on November 13th was from spam templates which pretended to be an "MSN Featured Offer". There are actually several different spam sending patterns in this group, but each have this text in common:

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

Despite a group of "financially oriented" subject lines, most of these spam messages still redirect to Canadian Pharmacy.

More than 60 domain names are used by this group:

Three distinct subject groups are using this pattern, but all currently point to Canadian Pharmacy websites, including the financial group with subjects like:

/Accounts banker!/
/Annual credit/
/Bank report/
/Credit report/
/Economic report/

A second group of subjects has more than a hundred full sentence subjects, such as:

RE: A completely natural way to give up smoking.
RE: A new source of life power has been discovered!
RE: A pimple?two pimples?three pimples? They do not leave you? Repulse them!
RE: A pimply guy attracts negative attention? don?t be one of them!
RE: A portable mortar for any disease you might catch.
RE: A single pill may bring out the beast in her!
RE: A single pill raises the immunity a dozen times!
RE: Additional help in building body of your dream.
RE: Afraid of epilepsy? Seizures are not thread anymore.
RE: Almost all men after 40 suffer from it
RE: Amoxicillin. A word that scares bacterial infections.
RE: Annoyed by the new car of a friend? Take a debilitant and buy a better car!
RE: Are you afraid of traveling by plane? Try new reliable medicine!
RE: Bare no morning after headaches in the morning.
RE: Be sure to get enough Zinc for your organism work.
RE: Be the boss in the game. Control your ejaculation.
RE: Become a sophisticated perfume shell adore your talent!
RE: Bring your senses to new level using lubrication.
RE: You are growing bald? Here is the answer!
RE: You are the one to set up the rules for that game.
RE: You are young and strong but helpless in bed? There is a way out!
RE: You shouldn?t suffer when the remedy is available!
RE: You sweat all the time? Lose some weight!
RE: You would look awesome without those extra kilos!
RE: Youll appreciate the new antibiotic at its true value!
RE: Your doctor prescribed you a medicine but you dont know where to buy it?

While a third group of subjects has two letters, followed by a Doctor's name, such as:

RE: bw.Doctor Nelson
RE: ja.Doctor Otto
RE: kc.Doctor Lyle
RE: kq.Doctor Emory
RE: kv.Doctor Josue
RE: lb.Doctor Darren

The Penis Enlargement Patch spam uses the following subject lines:

Amazing growth in just weeks
Bring her to seventh heaven
Don't settle for less than 9 inches
Easiest way to gain mass
Endorsed by healthcare professionals worldwide
Enlarge, Widen and Strengthen
Explode her mind with pleasure
Gaining inches the easy way
Grow thicker, harder and longer
Make her desire you
Make her moan with pleasure
Make your friends envious
Power up your package
Proven to enlarge and lengthen
Put on inches instantly
Re: Breakthrough formula for men
Re: don't wait to be huge
Re: Rock hard and huge
Re: watch her come over and over again
Sharon loved the results I got from this
The only formula for men that works
The secret to making her come
The truth behind 9 inches
The ultimate male package
What every woman wants from their man

The websites used by Penis Enlargement Patch are:

Like one of the Canadian Pharmacy groups, the email body uses randomly inserted mis-spellings to try to avoid spam filters. Here's an example:

A top team of British scientists and medical dõctors have wórked to deveIop the statee-of-the-art Peñis Enlargemeent Patch delivery system which automatically increases penis sizee up to 3-4 fulll inches.

The patches are the eàsieèst and most effectïve way to inçréase your penis size.

You won't have to take pills, get under the knifee to perform exþensivê and very painful surgêrÿ, use any pumps or other devices.

No one wïlll evér find out that you are using our product.

Just aåpply one patçh on your body and wear it for 3 dayss and you will startt noticing dramatic résults.

MiIlions of men are taking advantage of thiss rèvolutionary new produçt - Don't be Ieft bëhind!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.