Spam Landscape Marked By Big Players, Clever Tactics

Written by

A new look at the spam landscape has found that generally, the both inbound and outbound spam volumes are at reasonable levels, but an analysis of the spam that’s being generated shows a few notable trends.

According to Cloudmark, a few rogue ISPs are significantly skewing the statistics for the worse. A full 14% of the spam originating in the UK could be traced to a single Scottish ISP, Iomart, and the high level of spam from Germany to the UK was due in large part to just three networks.

In terms of other major trends, one involves the variety of URLs used. Cloudmark explained that recently, a number of new top level domains (TLDs) like .ninja, .science, and .rocks have become available. Cloudmark research shows that the cheaper the domain registration, the more likely it is to be abused by spammers, with free TLDs being almost entirely used for spam. Two outliers for this rule are .science, which is attractive to spammers because it sounds reputable, and .xxx which is attractive to spammers because it sounds disreputable.

“If spammers always used the same call to action URL in their emails, that would be easy to filter,” Cloudmark said in its report. “To try to get their spam delivered they need huge numbers of different URLs, though these may redirect to the same few landing pages. We took a look at two techniques that spammers are using to generate redirectors: URL shorteners like and, and click tracking services offered by emails service providers (ESPs).”

In both cases, Cloudmark found that spammers will go where the security is weakest, and will move to a different provider should their current target improve security. Case in point: A year ago, Twitter’s URL shortener was a major target for spammers, but as it tightened up security, the spammers switched to using

Spammers are going for more complex tactics as well, especially on the mobile front. For instance, most phone carriers provide free gateways that will take an incoming email message and forward it to a phone as an SMS message. Since it is easier and cheaper to send spam emails than spam SMS messages, these gateways have always been targets for spammers. In fact, three arrested in the successful take down of the Darknode cybercrime forum are accused of participating in a sophisticated scheme to maintain a spam botnet that utilized bulletproof servers in China to exploit vulnerable routers in third world countries, which sent millions of electronic mail messages designed to defeat the spam filters of cellular phone providers.

In terms of lures, worldwide, Cloudmark said that it’s seeing various phishing attacks, including one aimed at people who list items for sale on Craigslist, and also marketing for dubious adult services.

Also, the firm tracked a recent spam attack that was specifically targeted at small businesses. It used fake resumes to try to trick owners into installing ransomware on their computers. Though largely targeted at the US, Cloudmark detected this attack directed at users in fourteen countries on five continents. Ransomware is an increasing threat to all computers, but it’s a particular threat to small businesses, which may have mission-critical data on a single computer without adequate backup.

There is some good news in the spam world to highlight: In April, the FTC filed suit against Sale Slash, alleging that it was responsible for the sale of diet pills using spam marketing, and a variety of fraudulent claims including the use of Oprah Winfrey’s name and image. According to the FTC’s court filings, Sale Slash paid over ten million dollars to one of the spammers promoting their products, identified only by an email address and an offshore bank account in Curacao. Since then Cloudmark has seen a 79% reduction in diet pill spam, and a 90% reduction in new diet pill URLs found in spam.

What’s hot on Infosecurity Magazine?