Blue Coat Labs

Labs Blog

They Definitely Spammed the Wrong Guy

They Definitely Spammed the Wrong Guy

Chris Larsen

Last Friday (5/24), as I was packing for a trip, I took a quick look at the in-box for my Blue Coat e-mail account. There was one from a name I didn't recognize, with a subject line of "Successful Business". It was a spam:

screenshot of spam (initial view)

(It was interesting that they didn't have the person's name match the e-mail address more closely. Even if the e-mail content wasn't a dead giveaway, this by itself would have raised a yellow flag.)

Things got even more interesting when I began highlighting the spam URL, so I could check it out in our database, and accidentally dragged the mouse too far. Lo and behold, there was more to this spam than met the eye: a huge block of invisible white-on-white text, designed to confuse spam filters:

screenshot of spam (highlighting the hidden text)

(It actually went on for a lot longer than this, but this is enough to give you an idea of how it was constructed.)


Normally, spammers demonstrate a little more common sense than to send spam right to my Blue Coat e-mail. This is the equivalent of a bank robber mistaking a police station for a bank, and walking in to announce a hold-up.

However, I didn't get the satisfaction of personally flagging the target domain (, since WebPulse's SpamNet Tracker had already taken care of that for me.

Our logs showed two hits for, newly rolled out that day as the next domain in the on-going spam campaign. Both requests had been flagged as Suspicious in real-time, since the server hosting these sites had been identified over a week earlier (on 5/17, so this was a negative-seven-day block).


The current host IP address is, which is the fourth one we've seen used by this spam campaign.


Other recent domains used by this spammer include:


Which makes me wonder: If there's a better "home biz" than spamming, why doesn't this guy stop spamming, and just do that job instead? (Especially if he's dumb enough to spam Blue Coat directly...)