BANGALORE, INDIA: Spammers continue to divide their Internet resources. International spam campaigns generally send the same type of email to everyone.

Partitioning Botnets
Pill spam and Rolex-watch spam campaigns usually have a distinct internal email structure that allows them to be grouped together.

Not every spam-originating IP address will send to everyone in the world, but the images and URLs that are used in those spam messages tend to be the same across domains and countries.

In February we observed spam campaigns that began to further partition their resources. Selected companies received spam messages whose HTML content contained one of hundreds of Chinese URLs that forwarded the browser to a hosted commerce website; meanwhile other companies received the same message and the same content but their URL list was limited to only a few dozen compromised web servers. Other extremely large companies didn’t see any evidence of those spam campaigns.

This partitioning seems to go beyond the trend of producing more local-language spam and exhibits behaviour that appears both to protect the botnets from suffering a single point of failure and to probe the limits of spam researchers and vet their email lists. Blacklist systems that rely on honey-pot spam addresses to gather data may be weakened, as may systems that require a certain threshold or signature distribution to trigger.

Hosting companies that allow internal sites to be compromised tend to spread around the pain. Not only do the reputations of the host and the hacked sites suffer, but unmolested businesses and individuals who share those Internet resources can also be hurt. The need to preserve one’s web reputation reinforces the need for both a historical and a real-time threat intelligence perspective when choosing an ISP.

Keeping a ‘Watch’ on Holiday Spammers
On Valentine’s Day you might have been looking for a gift for that special someone, and spammers were looking for you to buy it from them.

This year replica-watch spam took over the number one spot for most persistent holiday spam. And not only was it number one, there were also days when replica-watch spam was greater than the amount of Delivery Status Notification bounce backs, briefly peaking at more than 20 percent of global volume. This is a difficult feat to achieve because it requires a spam campaign to be both large and accurate. After all, if a spammer’s email list is not accurate, then more bounce backs are likely to be seen in the wild.

Another surprising event shown in Figure 1 is the decrease in pill spam, which is usually a staple of any spam diet and something that we would expect to be particularly popular at this time of the year.

The spam strains are varieties we see commonly throughout the year; we considered them to be “associated” with gift-giving and love but not distinct enough to count as “Valentine’s Day” spam. Although we expected to see specific strains of spam pop up often for the Valentine’s holiday, we were disappointed. Valentine’s Day e-card spam was insignificant compared with what we saw during the Christmas or Thanksgiving holidays. Much of the e-card spam we did see still referenced Christmas and when a significant strain of Valentine’s greetings finally appeared, February 14 had already passed.