Online pharmacy spam using Amazon as bait

After sending waves of spams looking like phishing emails in the name of Twitter and Facebook, now it is Amazon’s turn. In the last days there were waves of spams looking like the one below which on first sight look like a classic phishing email.

I thought that the email is just another spam email until I looked in the header. The last Received header is:

Received: from mm-notify-out-209-61.amazon.com (mm-notify-out-209-61.amazon.com [72.21.209.61])
by smtp.secureserver.net with ESMTP id 49ou8155526jwu.74.20100620193745;
Sun, 20 Jun 2010 22:37:45 +0200
Date: Sun, 20 Jun 2010 22:37:45 +0200
From: "Amazon.com" <digital-no-reply@amazon.com>
Reply-To: Nobody <digital-no-reply@amazon.com>

There are also some X- keywords which pretend to be from Amazon:

X-AMAZON-CLIENT-HOST: digital-docs-dope-5002.iad5.amazon.com
Bounces-to: 20100620193745z6y7749jql964bn8m2026wm3i251cl0t@bounces.amazon.com
X-AMAZON-CLIENT-SENDTIME: Sun, 20 Jun 2010 22:37:45 +0200
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0

It seems the spammers wrote the headers prior sending the email through the botnet. The sender is from a domain belonging to Ukraine.

For the trained eyes: Noticed the error in the Received header? There is the date written in the Received header with a newline. This should be an error in the SMTP header, but Mozilla and Windows Mail don’t seem to care at all.

Here is how the headers look like in an original email from Amazon:

Return-Path: <emailSenderApp+Correios-RTFM-UF9pCRbkV1@bounces.amazon.com>
Received: from mm-retail-out-12102.amazon.com (EHLO mm-retail-out-12102.amazon.com)
[87.238.84.26] by x.host.com with SMTP; 21 Jun 2010 10:13:12 +0200
Received: from unknown (HELO massmail-sender-eu-14003.dub4.amazon.com)
([10.34.8.33]) by mm-retail-out-12102.amazon.com with ESMTP;
21 Jun 2010 08:12:59 +0000
Date: Mon, 21 Jun 2010 08:12:58 +0000 (UTC)
Message-ID: <23932643.91984131277107978872.JavaMail.em-build@eu-mm-relay.amazon.com>
Content-Type: multipart/alternative;
 	boundary="----=_Part_18209870_8296286.1277107978871"
Bounces-to: emailSenderApp+Correios-RTFM-UF9pCRbkV1@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: merchandizing
X-AMAZON-RTE-VERSION: 2.0

Once you click on any link in the email, you are redirected to a classical (fake) Canadian Pharmacy website.

Avira AntiSpam marks this email as Phishing, because it has exactly the same structure as a phishing email. The URL is also blocked as Spam URL.

Sorin Mustaca
Manager International Software Development