Log in

No account? Create an account

Look Back | Look Forward

Russian Pharmacy Spam

Recently two email addresses which are linked to businesses that I run have been flooded with Russian pharmacy spam. These addresses have been quiet for years, but apparently the spammers were able to scrape them from somewhere. Interestingly enough, both Comcast and Gmail filter these types of ads on the front end, so I never see them, but these two addresses are linked to Hostgator, which has no such front-end spam filters; however, they are kind enough to flag them as spam based on the following criteria:

[URIs: rxsexpills03.ru] Contains an URL listed in 5 separate blocklists
0.0 HK_NAME_DRUGS From name contains drugs
[ listed in bb.barracudacentral.org]
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.8 LONGWORDS Long string of long words
0.0 TO_IN_SUBJ To address is in Subject
0.0 T_REMOTE_IMAGE Message contains an external image
0.0 SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header

The only thing visible in the email are the above images, but behind the images are long strings of random text:

telling offices mattocks meantime you transmutation shown islands dat unto former miracle passengers swilldown let remedy herbstinking traveller comte arrived recall bow nose short bedlam philosophers between stomach expugnatory wolves fine big quod worth put secured arimaspes prisoners longskirted loads roasted jasper arch platonic wolves convocated estienne occidental dingdong. each farthingale packing nick bowl administer delectable woodporter anchovy news cups gave overthrow cups friar archer gave hereafter reckoning thither [...]

These are designed to thwart Bayesian spam filtering, but for the most part are not effective.

Click on the link, and you are redirected to an ever-changing URL, which AVG promptly blocks:

In other words, not only are they trying to sell you worthless, counterfeit drugs and steal your credit card information, but you're also downloading some sort of virus. AVG outlines the nature of the Pharmacy Spam Exploit; Symantec provides a detailed explanation as to how the Pharmacy Spam operation is structured; and the Spamhaus project provides a list of the world's 10 most prolific spammers. I do not doubt that this latest flood of hqiz is coming from one of these operations.

While stemming the tide may seem like an impossible task, it is somewhat comforting to know that there are people out there working on it, and - as can be seen with the Estonian gang - can have success in shutting down illegal operations.

I'm grateful to providers like Comcast who filter this stuff out before it even gets to my computer, and to those working to combat this plague; also to AVG, which provides protection against countless threats and exploits.

Moral: Practice safe computing, don't click on unknown links in email messages, and make sure you have good anti-virus protection running on your machine.

Support Wind Power



May. 18th, 2012 02:44 pm (UTC)
"Herbstinking"? Where did that come from? All the Google hits are from pages of random text.


The Old Wolf

Latest Month

March 2018


Powered by LiveJournal.com