During the past two weeks, Symantec has observed an increase in hit & run spam activities (also known as snowshoe spam) in its Global Intelligence Network. Hit & run spam messages have the following characteristics:
- Usually originates from IP ranges with neutral reputation
- Uses a large IP range to dilute the amount of spam sent from each IP address
- Contains features (such as Subject line, From line, and URLs) which change quickly
- URL is the call-to-action
- Often uses large quantity of “throw-away” domains in a single spam campaign
Here is a breakdown of top three products or services promoted by such spam over last week:
Date |
#1Spam Promo |
#2 Spam Promo |
#3 Spam Promo |
3/11 |
Solar panels |
Hair loss medication |
Auto insurance |
3/12 |
Hair loss medication |
Non-stick pan |
Home security system |
3/13 |
Hair loss medication |
Maid service |
Auto insurance |
3/14 |
Hair loss medication |
Maid service |
Auto insurance |
3/15 |
Maid service |
Pet medication |
Backyard makeover |
3/16 |
Non-stick pan |
Pet medication |
Cleaning product |
3/17 |
Auto clearance |
Refinance offer |
Credit card offer |
3/18 |
Life insurance |
Auto warranty |
Ink cartridges |
In addition to above, there were also hit & run messages promoting the following products or services:
- Auto warranty
- Satellite TV
- Learning new language
- Floral products
- Auto loan
- Free credit reports
- Online dating service
- Work-at-home opportunities
- LASIK service
The spammer uses varying subject lines to offer the same type of product or service. For example, here is a list of sample subject lines offering a hair loss product:
Subject: Finally a hair solution that works for Women
Subject: Attention Women: Get fuller hair risk free
Subject: See the latest trick for thinning hair
Subject: Try the newest solution to regrow hair. Risk Free
Subject: See how celebs get fuller thicker hair
Subject: Attention Women: See the latest trick to restore hair
In addition, some spammers insert hyphens at random locations to further increase their chances of successfully delivering the spam message. Here is a list of sample subject lines offering home security:
Subject: [BRAND NAME REMOVED] De-aler $99 Install He-re to help Pro-tect You
Subject: [BRAND NAME REMOVED] monitored and Dea-ler installed
Subject: [BRAND NAME REMOVED] De-aler Installed se-curity sy-stem $99
Subject: [BRAND NAME REMOVED] De-aler Fr-ee Sys-tem Of-fer
Subject: [BRAND NAME REMOVED] Home Security is #1- Fr-ee Security Sy-stem!
Subject: [BRAND NAME REMOVED] is #1 This De-aler has a $99 Install
Subject: [BRAND NAME REMOVED] monitored se-curity from Top De-aler $99 install
Subject: [BRAND NAME REMOVED] can help pro-tect your home in 2012
Subject: [BRAND NAME REMOVED] Auth De-aler $99 install with Fr-ee S-ystem
Subject: [BRAND NAME REMOVED] De-aler $99 Of-fer Dont settle for le-ss
While the presence of URLs is not the only condition to make the message qualify as hit & run spam, the chart below shows the percentage of spam messages containing an URL increasing during the past week:
Symantec continues to monitor this trend and create additional filters to target these attacks. In addition, Symantec advises enterprises and consumers to also adapt best practices found in the Symantec Intelligence Report.