Pharma, ISP spam invade inbox in May

          My Internet Service Provider is very effective in blocking spam from my inbox. However, recently I noticed more junk mail sneaking through than is typically the case. So last month I decided to collect the pesky crap sneaking through my ISP’s filters. Here’s what I discovered.

An apparent tried and true technique for getting a subject line through a filter is to sprinkle numbers within words. So “From Canada to you” becomes “Fr4m C9nada to you” and “See huge discounts now” becomes “See hu2e discounts now.” The word medications is often misspelled “medication’s,” but that seems to be more an ignorant mistake than a devious tactic to breach anti-spam defenses. The mixed letters-numbers technique seems to be a favorite of pharmaceutical spammers.

What escapes me about the tack is that it actually makes identifying the junk easier for a user–even if spam filters appear to have trouble catching it. The numbers stick out in the subject’s words like a Goth at a young Christians convention so targets can send the electronic detritus to the trash without viewing its contents and without being tempted to click on the link in it.

The inside of the pharma spam messages is fairly simple. It consists of another mixed alpha-number phrase–”Canadian m36ication’s are cheaper,” for example, or “Sa1e4on your medication’s with us today”–a URL and several rows of letters and numbers. The URLs share one thing in common: the subdomain spaces.live.com. Although spaces.live.com belongs to Microsoft’s Live Spaces service, several sources on the Web note that the subdomain is just one stop in a series of redirects a real spam site.

The letter-number dodge, by the way, was developed by spammers to fool signature-based filters. Those filters create signatures for spam messages from the text in them. The problem is, any change in text triggers a new signature. Spammers can keep one step ahead of the filters by automatically changing the text in each message. So a signature that identifies a message containing “m3dications” as spam won’t work on message that uses “m7dications” in its text.

As with any automated scheme, patterns began to emerge that spam fighters could use to identify junk  containing randomly generated characters, but spammers continually modify their methods, too, and have managed to stay ahead of the curve on their adversaries.

Another sortie launched on my inbox would have been insidious if it weren’t so incompetently handled. It involved inept phishers posing as personnel from my ISP. One message, for instance, had an address with my ISP’s domain on the “from:” line, but the “reply-to:” field had a mail2wold address. What’s more, the letter generator used to create the message apparently hiccupped in the middle of composing its malicious missive. “Please provide your details for our storage limit which is 10GB as set by your administrator immediately provide Your Dear [Web mail account] Subscriber,” it said.

Two other attacks that slid through my ISP’s defenses  involved a phony support call. Both of the  messages made the same addressing mistakes as the storage ploy. They used an address with my ISP’s domain in the originating address (one used the actual address of singer) and a foreign address in the reply field. The messages were a little better crafted than the storage ploy, but still contained fractured English and transparently unofficial. Here’s what one said.

“There will be an upgrade in our system between May 25th to 2nd June 2010.  Due to the anonymous registration of Webmail Account [ISP] and number of dormant accounts, we will be running this upgrade to determine the exact number of subscribers we have at present.

“Be instructed to login to your WEBMAIL.[ISP] email account to verify if your account is still valid and send immediately your login information’s [spammers have a lot of trouble with English plurals...] to enable us Verify [...as well as the use of verbs and uppercase letters] your account properly in other [sic] to keep your email account active so it will continue as normal.:

User  ID
Password
Date of Birth
State

“Thanks for your attention to this request. Once again We apologize for any inconveniences. Warning!!! Account users that refuse to update His/her account within 24hrs of receiving this notifications will automatically have His/her account deactivated.”

While the substance of these attacks may be laughable, they’re serious business for their originators. It’s a business that, I believe, most of us can live without.