Surge in attachment spam a sign of desperation, say experts

Overall spam levels flat so criminals try to rebuild bots

Botnet criminals have flooded the Internet with a surge of attachment spam in recent weeks in a desperate attempt to rebuild a spam-distribution industry under pressure, security experts have suggested.

Although this surge has been widely reported as a significant return for spam generally, levels are in fact subdued. It is more likely a sign of stress for a part of the cybercrime economy that has had a bad year.

Figures from M86 Security (see below graph) show a spike in attachment spam (emails with malware files attached) beginning at the beginning of August, which at one point accounted for a quarter of all spam seen by the company. That is more than a blip - attachment spam normally makes up fractions of a percent of all spam.

Fellow security company Commtouch also reported attachment spam as having risen 500 percent between 8 and 12 August on the back of a campaign using the common lure of fake UPS or DHL package notifications. Sophos has posted a useful analysis of one of the current crop of bogus package delivery messages.

Putting the attachment surge in context, figures from the same companies show that overall spam is still at historically low levels after the closure earlier this year of Rustock, one of the most prodigious spam botnets. Overall, then, spam levels appear to be continuing their gradual decline.

So where is the new wave of attachment messages coming from and does the latest campaign have any deeper significance?

Most of the messages appear to originate with an unremarkable botnet called Cutwail, backed up by activity from two other small players, Festi and Asprox. The attachments themselves are designed to hit computers with a range of malware, including fake antivirus campaigns and the SpyEye banking Trojan as well as to recruit them to relay spam.

This looks pretty mundane. The carriers are bog-standard DHL emails backed by attachments that serve the same Trojans that make up most Internet malware campaigns. The innovation level is very low and has echoes of a campaign run by criminals in March and April.

According to M86 product manager, Ed Rowley, the campaign is probably a symptom of the stress the spammers are under at a time when the phenomenon has lost some of its old potency.

"I think it is linked to the low levels of spam. We have seen spam drop and this is an attempt to rebuild the botets, " he said. "The criminals are trying to lay the foundations of future attacks."

This view is echoed by Daniel Axater, CEO of Swedish mail filtering company CronLab, which has also noticed the attachment phenomenon. "Any views on why this sudden surge would be speculation, but to me it looks like they're trying to use this attack to expand the size of the botnets," he said.

Criminals are always trying to increase their empires, but what points to the desperation of criminals is that they are using such hackneyed and generally easy-to-spot methods to carry out this task. Attachment spam is generally a last resort because while dangerous it is also difficult to slip past spam filters. Most users, especially corporate users, will never see the emails at all.

Any botnetter willing to try the high-visibility technique will have to compensate for this filtering by sending large number of messages to have any chance of success. That in turn raises the campaign's visibility further.

That several security companies have noticed the campaign within the same period of days suggests that the returns are likely to be very modest, mainly hitting users on small, poorly-defended ISPs running obsolete and unpatched operating systems such as XP.

After years of effortless success, spammers have had a relatively bad time of it this year, especially after the downing of major spam relays such as in September 2010 and Rustock in March this year. Without some innovation, that decline could be set to continue.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags sophosM86 SecurityPersonal Tech

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?