Too Early to Give Thanks for Less Spam

by

For those of you optimists who thought the post-McColo low spam levels would stay depressed indefinitely, well, I guess the time has come to face the fact that there is no Santa Claus. And no spam-related reason to give thanks at tomorrow’s Thanksgiving holiday in the USA. Because spam levels are creeping back up. Not to pre-McColo levels, mind you, but just give the spammers some time, and I’m sure they will come back full force once they get their act together again.

The snapshot below is of one of Commtouch’s many servers that analyzes spam traffic; bear in mind it’s just one server, so it doesn’t show the entire picture, but it’s fairly representative, which is why I selected this particular server (in consultation with our illustrious spam analysts, of course). This is not the spam people see in their inboxes, but rather, it’s a graph of the spam Commtouch is blocking with Recurrent Pattern Detection technology.

You can see a pretty regular pattern of peaks & valleys leading up to McColo’s demise, then a precipitous cliff, followed by nearly three weeks of very low spam levels; it really looks like this patient is on his way out. But after day in, day out of just a very weak pulse, suddenly the heart starts beating again, we start seeing stronger and stronger peaks…everyone can breathe a sigh of… relief? agony? either way, this patient is not dying, but rather, coming back to life! The spammers have overcome the passing of McColo.

OK, annoying medical metaphors aside, what is going on here?  The peaks represent spam outbreaks. And what kind of outbreaks are the spammers using to celebrate their return? None other than our old friend, Canadian Pharmacy. These are big waves of spam messages that contain hyperlinks to images and links hosted on Microsoft’s live.spaces.com in the format “[random numbers].live.spaces.com”. The links on these pages all led to various Canadian Pharmacy sites.

Sample live.spaces.com page that advertises for and links to Canadian Pharmacy

There were also some messages with .cn hyperlinks that linked directly to a site that redirected to a Canadian Pharmacy site. I did a little digging using “whois” just to see, who are the people who register all of these URLs that point to Canadian Pharmacy? I checked a handful of domains, and all of them were registered to various different people in Moscow, with free email addresses. The .cn domains I checked that were within the spam messages themselves were registered in China. Canadian? I think not.

Here’s wishing the world lots of other, truly important reasons to give thanks at tomorrow’s holiday (lack of spam globally not being one of them).

Go back