October 29, 2010

All Tricks & No Treat for Anti-Spam Engines


Spammers don't appear to be running out of tricks off their sleeves when it comes to bypassing anti-spam engines. Websense Security Labs™ ThreatSeeker™ Network found that spammers had slightly changed their tactics on the recent World Pharmacy campaign.  Note that the earlier variant of the World Pharmacy campaign is still active at the time of writing.  Our customers are being protected proactively against this ongoing and evolving spam campaign by ACE, ourAdvanced Classification Engine

While abusing free services offered by legitimate and highly reputable companies is not new, this trick doesn't seem to grow old.  In fact, it appears to work well with the spammers' intent.  This is proven true when inspecting the links found in the sample email below.  Earlier variants of this spam campaign used compromised sites in their links.  However, in an effort to evade detection, the newer variants are abusing Google's free translation service, Google Translate, which serves as a re-director to the spam site and not as a site translator as what the service is meant to do.   

Since the domain used as links in this email, http://translate.google.com, is obviously from a legit company, this may pass as a legit email.  The translator then redirects users to snipsoftwaresnip.ru which had been in the English language all along.  A further evidence that the sole purpose of using such services is to bypass spam filters.   Spammers also practice their business skills by re-using this same email template to sell OEM software, which of course redirects users to sites selling OEM software merchandise.


The earlier variants of the World Pharmacy spam emails were well crafted and may well pass as a legitimate newsletter to unsuspecting eyes.  The newer version appear to fall short of the craftiness - texts are all over the place and seem to be 'space-happy' with all the spaces between the words .  


However, a closer look at the email reveals that what appears to be spaces between words are actually characters having the same color as the background.  Unless highlighted, the human eye can only see spaces between words.  Anti-spam engines see this differently and process this as a single set of text.  Since Anti-spam engines rely mostly on text patterns, a single set of text can easily pass spam filters.  For example, an email with the word "pharmacy" may be tagged as spam.  But if there are texts (hidden or not), before and/or after the word, say "hellopharmacybuy", the email may not be treated as spam by Anti-spam engines entirely.  This spam trick is of course another effort to evade detection.        


Another noticeable difference of the newer variant is the number of legitimate links of reputable companies hidden in the email, including Google, Alexa, Facebook, Twitter, Bing and eBay.  This may be an attempt to get good reputation based on how many legit links are in the email.


So far, the campaign only contains links to Pharmacy and OEM Software spam sites.  We will continue to monitor this spam campaign and will let you know of any developments.  As a parting note, always be cautious in opening emails from unknown users.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.