According to Amanda Grady, a principle analyst with Symantec, the most interesting aspect of the Royal Wedding spam seen so far is that it is not loaded with malware, but attempts to sell fake goods.
"Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email", she says in her latest security blog.
"This domain has also been used in other spam campaigns, such as the long running Who's Who social networking spam messages. It was registered on February 9, 2011, using Moniker Privacy Services for anonymity, and since then has been used in at least half a million spam emails", she adds.
Dissecting the spam, Grady reports that, if a user clicks on the link in the email, it firstly redirects to the Lynxtrack.com domain, which checks that the user’s IP is based in the US, before redirecting to the final destination product site.
The product site, she asserts, was registered much earlier, on December 21, 2010, using a different registration service, indicating that the people behind the site might be purchasing spam services rather than sending it themselves.
The Symantec researcher calls these types of spam attacks 'snowshoe' campaigns, and claims her research teams are seeing at least 350,000 messages a day originating under the scheme.
"As the British Royal wedding gets closer though, we do expect to see it featured in other spam campaigns to attract users' attention or at the very least in scraped news headlines", she says.