Online pharmacy spam using Amazon as bait

After sending waves of spams looking like phishing emails in the name of Twitter and Facebook, now it is Amazon’s turn. In the last days there were waves of spams looking like the one below which on first sight look like a classic phishing email.

I thought that the email is just another spam email until I looked in the header. The last Received header is:

Received: from ( [])
by with ESMTP id 49ou8155526jwu.74.20100620193745;
Sun, 20 Jun 2010 22:37:45 +0200
Date: Sun, 20 Jun 2010 22:37:45 +0200
From: "" <>
Reply-To: Nobody <>

There are also some X- keywords which pretend to be from Amazon:

X-AMAZON-CLIENT-SENDTIME: Sun, 20 Jun 2010 22:37:45 +0200

It seems the spammers wrote the headers prior sending the email through the botnet. The sender is from a domain belonging to Ukraine.

For the trained eyes: Noticed the error in the Received header? There is the date written in the Received header with a newline. This should be an error in the SMTP header, but Mozilla and Windows Mail don’t seem to care at all.

Here is how the headers look like in an original email from Amazon:

Return-Path: <>
Received: from (EHLO
[] by with SMTP; 21 Jun 2010 10:13:12 +0200
Received: from unknown (HELO
([]) by with ESMTP;
21 Jun 2010 08:12:59 +0000
Date: Mon, 21 Jun 2010 08:12:58 +0000 (UTC)
Message-ID: <>
Content-Type: multipart/alternative;

Once you click on any link in the email, you are redirected to a classical (fake) Canadian Pharmacy website.

Avira AntiSpam marks this email as Phishing, because it has exactly the same structure as a phishing email. The URL is also blocked as Spam URL.

Sorin Mustaca
Manager International Software Development