Notable highlights from December 2009 include the shift in the region of spam message origin and changes in the average size of spam messages. In recent months, APJ and South America have been taking spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009. With respect to the average size of the messages, the 2kb- 5kb message size category increased by 7 percent points, while the 5kb-10kb message size category decreased by 6 percent points in December 2009. This change corresponds with a decrease in attachment spam. Attachment spam averaged at 4.48 percent in December 2009, compared with 5.28 percent in November 2009. With respect to all spam categories, health and product spam have increased, and now account for 52 percent of all spam messages. The following trends are highlighted in the January 2010 report:

Xmas Card, Loaded with Malware Your Bank Has Declared Bankruptcy Pills From Amazon? December 2009: Spam Subject Line Analysis “Dotted Quad” Spam Shows Sign of Eruption Andy Lau Talks Chinese Invoice Spam

January 2010 Report #37

Dylan Morss Executive Editor Antispam Engineering

Eric Park Editor Antispam Engineering

Sagar Desai PR contact sagar_desai@symantec.com

Xmas Card, Loaded with Malware

Last month’s State of Spam Report highlighted top seasonal subject lines as the holidays ap-proached. Once again, Symantec researchers have monitored the typical holiday spam, rang-ing from replica goods and online pharmacy products to Nigerian-type scams. It was interest-ing to see a spam message pretending to be a holiday greeting card from a financial institu-tion. It is also important to note that this spam message can be easily changed into a phishing/fraud message. This could be accomplished by making minor changes to the email message source.

Your Bank Has Declared Bankruptcy

Due to current recession, the FDIC (Federal Deposit Insurance Corporation) has closed many failed banks. By mid-December, there were 140 banks in 2009 closed by the FDIC. Given the amount of press coverage such news garners in the media, it is no surprise that spammers are taking advantage of this trend for their benefit.

In the example above, spammers are claiming that the bank has declared bankruptcy. When the user clicks on the provided link to “learn how to save money,” Trojan.Pidief tries to install itself on the machine. Symantec advises users to check reliable news outlets as well as the official FDIC website to determine whether the banks indeed have been taken over by the government. As this exam-ple shows, spammers continue to look for ways to increase the chances of their messages be-ing opened by users. Symantec expects such techniques to continue in 2010.

Pills from Amazon?

Spammers have been taking advantage of various “freeweb” services in an effort to bypass filters. Some have used URL shortening services to mask the true destination URL while others have abused a variety of social networking sites/tools by creating a profile that is really a spam campaign. While Symantec researchers have monitored spam which purported to be from Amazon, this particular spam message was different in that the spammer actually created an account on the retailer’s website. Then, the spammer sent the message via Amazon’s email system with its links. When users click on the link provided in the message, they are directed to the Amazon web-site.

December 2009: Spam Subject Line Analysis

In December 2009, the top ten subject lines used by spammers were dominated by a mixture of Nigerian type and online pharmacy spam. This correlates to doubling of “health” category from 8 percent in November 2009 to 16 percent in December 2009. Meanwhile, NDR bounce spam, which appeared on the previous month’s list, averaged at 1.28 percent of all spam (accounted for 2.23 percent in November). Spam messages containing malware also fell, aver-aging 0.32 percent of all spam messages (accounted for 1.35 percent in November).

“Dotted Quad” Spam Shows Signs of Eruption

Symantec researchers are observing an unusually large increase in volume of spam containing hijacked IPs. Furthermore, review of spam with hijacked IPs indicates that one specific attack was responsible for this volume change. Spam messages with hijacked IPs more than tripled in December 2009, compared with the vol-ume in November 2009. While this type of attack makes up a very small chunk of overall spam messages, there were certain periods in December when “dotted quad” spam accounted for a significant percentage. For example, such spam was over 25 percent of overall spam during the hour of 6:00 am PST on December 24th. Symantec researches investigated such spikes and found consistency among the spam mes-sages. A particular spam attack leading users to online pharmacy sites was using hijacked IPs in its campaign.

As always, users cannot be certain whether the medications are genuine, if they are even de-livered in the first place. Worse, there is a high possibility that users who order through these sites become victims of identity theft. Users are advised to consult with their doctors for their health needs.

Andy Lau Talks Chinese Invoice Spam

While invoice spam makes up a large slice of Chinese spam, the message often contains plain text-based advertisement (although the text may be an image). In this example below, spam-mers are leveraging a celebrity’s status by using Andy Lau’s image. Users should not be calling a number featured on spam for invoice, regardless of who is speaking.

Checklist: Protecting your business, your employees and your customers

Do Unsubscribe from legitimate mailings that you no longer want to receive. When signing up

to receive mail, verify what additional items you are opting into at the same time. De-select items you do not want to receive.

Be selective about the Web sites where you register your email address. Avoid publishing your email address on the Internet. Consider alternate options – for ex-

ample, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services.

Using directions provided by your mail administrators report missed spam if you have an option to do so.

Delete all spam. Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed

websites. We suggest typing web addresses directly in to the browser rather than relying upon links within your messages.

Always be sure that your operating system is up-to-date with the latest updates, and em-ploy a comprehensive security suite. For details on Symantec’s offerings of protection visit http://www.symantec.com.

Consider a reputable antispam solution to handle filtering across your entire organization such as Symantec Brightmail messaging security family of solutions.

Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is located here.

Do Not Open unknown email attachments. These attachments could infect your computer. Reply to spam. Typically the sender’s email address is forged, and replying may only result

in more spam. Fill out forms in messages that ask for personal or financial information or passwords. A

reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a veri-fied telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).

Buy products or services from spam messages. Open spam messages. Forward any virus warnings that you receive through email. These are often hoaxes.

Metrics Digest: Regions of Origin

Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.

Metrics Digest: URL TLD Distribution

Metrics Digest: Average Spam Message Size

Metrics Digest: Spam Attack Vectors

Internet Email attacks specifically offering or

advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware

Health Email attacks offering or advertising health-related products and services. Exam-ples: pharmaceuticals, medical treatments, herbal remedies

Leisure Email attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos

Products Email attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup

Financial Email attacks that contain refer-ences or offers related to money, the stock market or other financial “opportunities.” Ex-amples: investments, credit reports, real es-tate, loans

Fraud Email attacks that appear to be from a well-known company, but are not. Also known as “brand spoofing” or “phishing,” these mes-sages are often used to trick users into reveal-ing personal information such as E-mail ad-dress, financial information and passwords. Examples: account notification, credit card verification, billing updates

419 spam Email attacks is named after the section of the Nigerian penal code dealing with fraud, and refers to spam email that typi-cally alerts an end user that they are entitled to a sum of money, by way of lottery, a retired government official, lottery, new job or a wealthy person that has that has passed away. This is also sometimes referred to as advance fee fraud.

Political Email attacks Messages advertising a political candidate’s campaign, offers to do-nate money to a political party or political

Metrics Digest: Global Spam Categories:

Adult Email attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice