New spam outbreak for meds

During the last two weeks we have followed how a small spam meds campaign for penis enlargement pills has turned out into a real outbreak. The emails are very well crafted, and it is rather easy to confuse some spam filters.

Meds-Spam

Meds-Spam

The advertising email appears to be sent from the receiver’s email address, trying to convince the filter that the user sends to himself an email with some text and a picture. The text is always different, and has the following format:

You are receiving this newsletter because you subscribed to the <some company name> Group newsletter as <email>. If you wish to change or remove your email address, please visit <this link>.

<Some company name> Group respects your privacy. <Our privacy policy>.

The unsubscribe link has a very interesting format:
http://<subdomain&gt;.<host>.cn/<number>.shtml?mail=<emailaddress>

In each email, the subdomain is different from the link where the site is located, but the host is the same. The host name is a random name registered in China. The url is specially crafted for the email address of the receiver. If someone clicks on the link, the spammers will probably know that someone is behind that email address and that the email was not blocked somewhere.

Also interesting is the link on top of the page „If this doesn’t appear correctly in your email client, please visit this <link>”. The link has the same unique ID as the unsubscribe link, without the email address.

Useless to say that all the links go to the main page of the meds site.

Sorin Mustaca
Manager International Software Development