Surge in attachment spam a sign of desperation, say experts

Overall spam levels flat so criminals try to rebuild bots

Botnet criminals have flooded the Internet with a surge of attachment spam in recent weeks in a desperate attempt to rebuild a spam-distribution industry under pressure, security experts have suggested.

Although this surge has been widely reported as a significant return for spam generally, levels are in fact subdued. It is more likely a sign of stress for a part of the cybercrime economy that has had a bad year.

Figures from M86 Security (see below graph) show a spike in attachment spam (emails with malware files attached) beginning at the beginning of August, which at one point accounted for a quarter of all spam seen by the company. That is more than a blip - attachment spam normally makes up fractions of a percent of all spam.

Fellow security company Commtouch also reported attachment spam as having risen 500 percent between 8 and 12 August on the back of a campaign using the common lure of fake UPS or DHL package notifications. Sophos has posted a useful analysis of one of the current crop of bogus package delivery messages.

Putting the attachment surge in context, figures from the same companies show that overall spam is still at historically low levels after the closure earlier this year of Rustock, one of the most prodigious spam botnets. Overall, then, spam levels appear to be continuing their gradual decline.

So where is the new wave of attachment messages coming from and does the latest campaign have any deeper significance?

Most of the messages appear to originate with an unremarkable botnet called Cutwail, backed up by activity from two other small players, Festi and Asprox. The attachments themselves are designed to hit computers with a range of malware, including fake antivirus campaigns and the SpyEye banking Trojan as well as to recruit them to relay spam.

This looks pretty mundane. The carriers are bog-standard DHL emails backed by attachments that serve the same Trojans that make up most Internet malware campaigns. The innovation level is very low and has echoes of a campaign run by criminals in March and April.

According to M86 product manager, Ed Rowley, the campaign is probably a symptom of the stress the spammers are under at a time when the phenomenon has lost some of its old potency.

"I think it is linked to the low levels of spam. We have seen spam drop and this is an attempt to rebuild the botets, " he said. "The criminals are trying to lay the foundations of future attacks."

This view is echoed by Daniel Axater, CEO of Swedish mail filtering company CronLab, which has also noticed the attachment phenomenon. "Any views on why this sudden surge would be speculation, but to me it looks like they're trying to use this attack to expand the size of the botnets," he said.

Criminals are always trying to increase their empires, but what points to the desperation of criminals is that they are using such hackneyed and generally easy-to-spot methods to carry out this task. Attachment spam is generally a last resort because while dangerous it is also difficult to slip past spam filters. Most users, especially corporate users, will never see the emails at all.

Any botnetter willing to try the high-visibility technique will have to compensate for this filtering by sending large number of messages to have any chance of success. That in turn raises the campaign's visibility further.

That several security companies have noticed the campaign within the same period of days suggests that the returns are likely to be very modest, mainly hitting users on small, poorly-defended ISPs running obsolete and unpatched operating systems such as XP.

After years of effortless success, spammers have had a relatively bad time of it this year, especially after the downing of major spam relays such as in September 2010 and Rustock in March this year. Without some innovation, that decline could be set to continue.

Join the PC World newsletter!

Error: Please check your email address.

Tags sophosPersonal TechsecurityM86 Security

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Show Comments

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?