Blue Coat Labs

Labs Blog

Health and Finance (The Spam Version of Death and Taxes)

Share this: 

Health and Finance (The Spam Version of Death and Taxes)

Chris Larsen

It's been a while since we've posted about good old spam (the non-malicious kind, although sometimes the lines blur), so I thought I'd share some findings from last weekend's honeypot traffic.


Recent Trends

First, we're seeing a *lot* of ".PW" domains involved in spam these days. In fact, unless you've got customers in Palau, you should probably consider blocking anything on their TLD (top-level domain).

Second, the top two spam categories continue to be Health (mostly weightloss-related, but also including pharma-spam), and Finance (mostly easy-loan sites, credit-score sites, and work-at-home scams). Which is at least a rough parallel to the old saying about the only two certainties in life being "death and taxes".


Breaking Chains

It's also been a while since we last blogged about WebPulse as a "second level spam filter", but there was a great example in this weekend's spam...

The subject line promised "Your NEW card is ready (activate Monday)". (Personally, I think it would have looked better if they'd added at least one exclamation mark in there, but I don't want to tell the spam professionals how to run their business.)

The body of the e-mail said "Your next Discover, Visa or American_Express card is waiting for instant approval."  (Of course, I wondered why they'd left Mastercard off the list, and why they thought American Express needed an underscore instead of a space, but that's just me being picky again. I'm sure the spammers have their reasons.)

The spam came from a junk/throwaway domain: (which doesn't even pretend to be a legitimate site, and a blank page doesn't make for an interesting screenshot, so I'm skipping that part).

This was also the target destination of the link in the spam. (To review Blue Coat's spam terminology, in this case, is serving as both the "L0" [source of the e-mail] and "L1" [link target] domain.)

Clicking the link relayed me through the "L2", "L3", and "L4" domains [relays] in succession, finally dumping me on the "LX" [actual destination] domain.


The L2 domain, [shady relay #1].com, has been in our DB since last month, courtesy of our "SpamNet Tracker" module (that's the Malnet Tracker in its spare time).

The L3 domain, [shady relay #2].com, was rated in the DB in September of last year (more recently, it's also on a server in the SpamNet Tracker's database).

The L4 domain, [shady relay #3].com, was not in the DB (it is now!), but this didn't matter, since any of our customers who choose to block the Spam and/or Scam/Questionable/Illegal categories wouldn't have made it this far, nor to the LX domain.


A Tougher Call

The interesting question, for me, is almost always the LX domain -- the ultimate destination site. Knowing that it's being fed traffic by a large spam ecosystem, should we also rate *it* as Spam, in addition to its normal category? In other words, if we want to play "guilt by association", how much "association" do we need to see before we can declare something as "guilty"?

In this case, had any customer clicks made it through the relay gantlet, they would have hit a Spam rating on this particular site, since we added that many months ago, in addition to its Financial Services rating. The site has been around for four or five years now, which is a point in its favor -- it isn't an obvious fly-by-night site. Yeah, maybe it just innocently signed up for a new "targeted e-mail campaign" featuring "qualified, opt-in, interested customers". How was it to know that its new e-mail campaign manager was actually an evil spammer?

(How about the fact that this isn't the first time we've encountered this site as part of a spam investigation? Yep, I think that does it for me -- so I left its Spam rating in place.)



P.S.  As a bonus, here's a shot of another spam from last weekend, featuring the most creative recent "spelling" I've seen of the all-time-classic-spam-word:

screenshot of creative spammer spelling of

Thunderbird is right.