![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Russian Pharmacy Spam
May. 17th, 2012 06:36 pmRecently two email addresses which are linked to businesses that I run have been flooded with Russian pharmacy spam. These addresses have been quiet for years, but apparently the spammers were able to scrape them from somewhere. Interestingly enough, both Comcast and Gmail filter these types of ads on the front end, so I never see them, but these two addresses are linked to Hostgator, which has no such front-end spam filters; however, they are kind enough to flag them as spam based on the following criteria:
The only thing visible in the email are the above images, but behind the images are long strings of random text:
telling offices mattocks meantime you transmutation shown islands dat unto former miracle passengers swilldown let remedy herbstinking traveller comte arrived recall bow nose short bedlam philosophers between stomach expugnatory wolves fine big quod worth put secured arimaspes prisoners longskirted loads roasted jasper arch platonic wolves convocated estienne occidental dingdong. each farthingale packing nick bowl administer delectable woodporter anchovy news cups gave overthrow cups friar archer gave hereafter reckoning thither [...]
These are designed to thwart Bayesian spam filtering, but for the most part are not effective.
Click on the link, and you are redirected to an ever-changing URL, which AVG promptly blocks:
In other words, not only are they trying to sell you worthless, counterfeit drugs and steal your credit card information, but you're also downloading some sort of virus. AVG outlines the nature of the Pharmacy Spam Exploit; Symantec provides a detailed explanation as to how the Pharmacy Spam operation is structured; and the Spamhaus project provides a list of the world's 10 most prolific spammers. I do not doubt that this latest flood of hqiz is coming from one of these operations.
While stemming the tide may seem like an impossible task, it is somewhat comforting to know that there are people out there working on it, and - as can be seen with the Estonian gang - can have success in shutting down illegal operations.
I'm grateful to providers like Comcast who filter this stuff out before it even gets to my computer, and to those working to combat this plague; also to AVG, which provides protection against countless threats and exploits.
Moral: Practice safe computing, don't click on unknown links in email messages, and make sure you have good anti-virus protection running on your machine.
[URIs: rxsexpills03.ru] Contains an URL listed in 5 separate blocklists
0.0 HK_NAME_DRUGS From name contains drugs
4.4 KB_RATWARE_OUTLOOK_MID KB_RATWARE_OUTLOOK_MID
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[187.114.172.92 listed in bb.barracudacentral.org]
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.8 LONGWORDS Long string of long words
0.0 TO_IN_SUBJ To address is in Subject
0.0 T_REMOTE_IMAGE Message contains an external image
0.0 SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header
The only thing visible in the email are the above images, but behind the images are long strings of random text:
telling offices mattocks meantime you transmutation shown islands dat unto former miracle passengers swilldown let remedy herbstinking traveller comte arrived recall bow nose short bedlam philosophers between stomach expugnatory wolves fine big quod worth put secured arimaspes prisoners longskirted loads roasted jasper arch platonic wolves convocated estienne occidental dingdong. each farthingale packing nick bowl administer delectable woodporter anchovy news cups gave overthrow cups friar archer gave hereafter reckoning thither [...]
These are designed to thwart Bayesian spam filtering, but for the most part are not effective.
Click on the link, and you are redirected to an ever-changing URL, which AVG promptly blocks:
In other words, not only are they trying to sell you worthless, counterfeit drugs and steal your credit card information, but you're also downloading some sort of virus. AVG outlines the nature of the Pharmacy Spam Exploit; Symantec provides a detailed explanation as to how the Pharmacy Spam operation is structured; and the Spamhaus project provides a list of the world's 10 most prolific spammers. I do not doubt that this latest flood of hqiz is coming from one of these operations.
While stemming the tide may seem like an impossible task, it is somewhat comforting to know that there are people out there working on it, and - as can be seen with the Estonian gang - can have success in shutting down illegal operations.
I'm grateful to providers like Comcast who filter this stuff out before it even gets to my computer, and to those working to combat this plague; also to AVG, which provides protection against countless threats and exploits.
Moral: Practice safe computing, don't click on unknown links in email messages, and make sure you have good anti-virus protection running on your machine.
