Popular Spammers Strategies and Tactics

by Dancho Danchev [Published on 14 Nov. 2007 / Last Updated on 14 Nov. 2007]

An assessement of several different recent spam campaigns, demonstrating the key concepts spammers use, and providing concise strategic advice on how to undermine their current model.

During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?

In this article I am going to assess several different recent spam campaigns in order to demonstrate key concepts spammers use, and provide concise strategic advice on how to undermine their current model.

The Broken Direct Marketing Model Spammers Use

By the time I finish writing the first sentence of this article, hundreds of thousands spam emails would have successfully reached a great deal of mailboxes. Why is spam so successful at the bottom line? The truth is - that it isn't, and most interestingly it doesn't even have to be successful for the spammers to stop doing it, as their direct marketing business model is broken, it's just they're simply not interested in admitting it. How is this possible? Rather simple, while some of the market participants are busy harvesting email addresses to be sold later on, others are coming up with the efficient system used for spamming, where their investment of sending several millions messages will reach the break-even point even if only several people actually purchase something.

Some of the most recent cases related to spam, greatly illustrate what gaining tactical warfare advantages truly means. When anti spam vendors finally manage to detect image based spam, spammers simply start using PDF file attachments, and even more innovate, MP3 pump-and-dump spam messages. According to a well known anti-spam vendor, in October alone, approximately 15 million MP3 audio files were circulating across the globe. What is the next logical tactic to be used by spammers? It’s video based spam where their only trade off might be achieving efficiency in the process of producing the video files. Moreover, the vulnerability-to-exploit-to-mass mailing spam campaign cycle isn’t just getting shorter, but is also yet another indication of the consolidation of spammers, phishers, and malware authors who are becoming more organized. Among the most recent examples of this consolidation is a PDF vulnerability that’s currently spammed on a mass basis, with its infected payload pointing to a well known hosting provider of malicious software – the RBN.

Popular Spammers’ Tactics

Tactics are very different from strategies and represent the execution phrase of a strategy, a concept spammers have been aware of for a while. Let’s discuss some popular spammers’ tactics to further reveal the techniques they use.

Redirectors/doorway page

Redirectors and doorway pages take advantage of visual social engineering in order for the spammers to establish a trust relationship with the prospective customer, and improve their chances of bypassing the anti-spam filters in place. On the majority of occasions, accounts at free web space providers such as Geocities for instance, get registered and two lines of javascript code refresh the account, thus directing the user to the actual spam domain. Let’s illustrate this. For instance, all of the following Geocities pages are currently responding and acting as redirectors to some recently spammed domains such as onlinemedcross.com; rxlovecaptain.com and pharmacysitetown.com.

  • geocities.com/RickieWood35
  • geocities.com/AdolphBarr30
  • geocities.com/BlakeBender94
  • geocities.com/JohnieWaller66
  • geocities.com/ChangWashington95
  • geocities.com/AvaMendoza19
  • geocities.com/KimberleyHebert77
  • geocities.com/TaylorSanchez69
  • geocities.com/FrankieCase81
  • geocities.com/ElliotPugh01
  • geocities.com/VernonCantrell39LI>

How are spammers managing to register accounts at free web space providers in an efficient manner given the CAPTCHAs that are in place to ensure such automatic registrations become futile? By either adapting the CAPTCHA breaking process, or entirely outsourcing it as you’ll see later on in this article.

Rapid tactical warfare

From ASCII, to TXT, XLS, FDF, RTF, PDF, image and now MP3 spam , these are all great examples of rapid tactical warfare aiming to constantly switch the distributing practices in order to undermine the reactive response by the anti-spam vendors, and make it hard to filter some these vital for any business practices: file attachments.

Verification/confirmation of delivery

Of the several hundred of thousands spam emails sent, only a small percentage will be successfully delivered, and that’s not because they will get filtered as spam, but because a lot of the emails will be spam poison, that is purposely distributed to fake and non-existent emails. Therefore, spammers started getting interested in applying various approaches for confirmation of delivery, even a verification that the emails to be spammed are real ones by using software tools such as the High Speed Verifier, or by tricking the receipt into manually verifying the email by asking him or her to “unsubscribe”. Thinking they’ve unsubscribed, the end user has actually confirmed that their email is indeed valid despite the average bogus message :

"Your unsubscribe request for email address 'example@example.com' has been successfully received. Please allow 24-48 hours for your email to be completely removed from the system."

The second most common tactic spammers use for confirmation of both a receipt and the validity of the receiver, is by embedding remote loading images with unique tracking IDs per email, thereby abusing the default remote images loading functions within the most popular email reading applications and web services.

Popular Spammers’ Strategies

Strategies are the long-term objectives spammers set to achieve during a specific period of time, whereas the tactics previously discussed usually get most of the media attention. It’s the big picture this section will try to reveal for you to understand.

Consolidation

As we’ve already discussed the ongoing consolidation of spammers, phishers and malware authors, it’s also worth discussing why is it happening and how come each of these market participants started relying on each other to improve their effectiveness. The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails.

Outsourcing

Outsourcing is still a buzz word, and the cost-effectiveness and easy entry barriers that come with it have a great impact on a spammer’s mindset. A recently exposed managed spamming appliance service can be used as a great example of spammers outsourcing all their needs to a third-party service provider. Basically, the service takes care of providing infected bots, templates for the spam emails and sites, and also fast-flux infrastructure in order for the spam campaign to increase its lifecycle and remain as untraceable as possible. Take for instance the redirector URLs I provided at the beginning of the article, onlinemedcross. It’s in a rather modest fast-flux right now, rather modest in the sense of slow updates, compared to Storm Worm’s fast-flux domains for instance.


Image 1

Affiliation based models – let the others spam for you

Affiliation based incentives model is a rather new market development in the world of spam. Spammers rely on the fact that if provided with enough incentive, third-parties would be interested in finding their own ways of sending the message to a large number of people, even go beyond email and start targeting instant messaging.

Conclusion and Recommendations for Undermining the Spammers Strategies

In a perfect world, there are no malware infected computers so that spammers would have to look for misconfigured SMTP servers and abuse them, once a scarce resource by themselves nowadays. For the time being, spammers excel at the tactical warfare level, and among the best recommendations anti-spam vendors could get in the long-term is to become more innovative at filtering outgoing spam from an organization’s network, compared to the current model of filtering incoming spam.

The big picture doesn’t look very favorable either, and from my perspective fighting spam on an international level is done in the wrong way. It has to do with both a pragmatic legislation and a self-regulation attitude on behalf of the ISP and countries responsible for sending all the spam you receive. The current legislation model forwards the responsibility to the person who’s been sending the spam, a very interesting process by itself given that spam is sent out of malware infected hosts on behalf of a hard to trace third party. And even if it’s traced back, the spammer will be quickly replaced thanks to the broken model of dealing with spam for the time being.

We all know that each country has a top 10 list of the most aggressive spamming ISPs, yet these ISPs themselves provide anti-spam services that in special cases may in fact be filtering the incoming spam from the infected host on their own network. Fighting incoming spam or fighting outgoing spam? It’s all a matter of how pragmatic your solution to the problem on a large scale, and lobbying power really is.

See Also


The Author — Dancho Danchev

Dancho Danchev is an independent security consultant that has extensive experience with security practices such as -- penetration testing, malware, risk management, and strategic security consultancy. Besides his active contributions to the scene, Dancho is also involved in business development, marketing research, and PR activities for numerous organizations, both security, and new media ones. He maintains a popular information security blog sharing real-time threats intelligence data with the rest of the world on a daily basis.