Flash in the Spam

by

OK the title is a lousy play on words, but the new spam tactic with hyperlinks to Flash files is actually pretty neat.  You most likely know by now that spammers will look for any way to bypass content-based anti-spam filters. And they tried a new trick today: sending spam messages whose hyperlink call to action was actually to a hosted Macromedia Flash file. In case you are not familiar with Flash, it is the software program behind many animations on the Web (see, for example, the moving text & twirly rings on Commtouch’s home page). Flash is all over the Internet, but usually people do not link to the Flash files themselves (which have an ending of .swf) but rather to a regular web page which holds the flash (which has an ending of .htm, .html, .asp, etc.) But if you link directly to a .swf page, most browsers will still play the Flash file. And if the Flash file is actually not an animation at all, and just contains a simple re-direct to a pharmacy spam site, then, well, the spammer succeeded in getting the clicker to go to the spam site. Clever, huh?

Why would most web developers and legitimate email marketers would not direct a visitor/email recipient directly to a hosted .swf (Flash) file? Because .swf files usually need to have some additional information for them to display properly, most notably the browser needs to know what size to display the file, and that information is provided by the page that it sits in. So, these spammers are exploiting non-normative behavior (would you expect anything less?) figuring that content-based anti-spam filters would not be smart enough to scan for .swf files.

Even more interesting is where the .swf files are being hosted: a free image hosting site. Any anti-spam engine that tries to solve this issue by blocking all links from that site runs the risk of blocking legitimate messages with links to pictures of the grandkids (nasty false positives).  Commtouch Recurrent Pattern Detection technology blocks these and other types of spam messages based on recurrent data patterns in the massive outbreak.

So… the question remains, will “Flash in the spam” be just a “flash in the pan”? (forgive me…I couldn’t resist) Well, this type of spam was being distributed in fairly massive quantities throughout today, and if traditional content-filters cannot find a way to block it easily, it could become another typical tactic added to spammers’ arsenals.

Go back