Hotmail Welcome Letter Camouflages Pharma Spam

The Commtouch Detection Center identified a massive outbreak of pharmaceutical image spam that started last week, with a neat new trick: the spammers camouflaged
their messages as Hotmail welcome messages. They literally took the text and layout of the Hotmail messages and hid it within the body of the html source. They did another cute trick by swapping out all the MSN URLs with random web domains, so the message would appear to content scanners to have dozens of URLs. That second trick alone could have stopped up filters that determine if a message is spam by looking up the URLs that appear in the message. Incidentally, the URLs are primarily for images, which of course do not exist, since the domains are just random nonsense.

To the recipient, of course, the message appears to be pharmaceutical image spam, since all of these HTML tricks are happening behind the scenes. The recipient does not see any indication of the MSN-related text, or the random URLs to nonexistent images. The only image they see is that of the spam message. The image is served from a spammer web site, and not embedded within the message itself, so it’s not technically the “image-based spam” that drove us all crazy in 2006-7.

How massive is this attack? Commtouch Detection Center reported upwards of 250 million messages per hour during the attack’s peak. It seems to be tapering off by now, but still in the millions of messages per hour.