It is well known that spammers use many different tactics to add legitimacy to their emails.

Two techniques that are popular include personalizing emails and using images to try to fool the recipient into being scammed.

Spammers will often add text to email that specifically mentions the recipient. This is a technique used in legitimate marketing campaigns where a well known company has access to the users’ personal information because the user has signed up to receive their newsletter or is a previous customer. However for a spammer, obtaining personal information is not so simple. An easy way for them to get a similar effect though, is to simply use the email address to which they are sending. While this is not a name, it can have the same effect by making the email appear it was sent in accordance with a legitimate mailing list, rather than spamming at random. This can be a fairly effective tactic as a lot of websites now use email addresses as usernames.

The body of these spam emails is typically very short. In all the samples MessageLabs Intelligence analyzed, the body appeared as a single line, which was the URL the spammer wanted the recipient to visit. This is fairly common in spam, because the spammer wants to get the recipient to the website as soon as possible. The longer the recipient spends looking at a spam email, the more likely they are to realize it is a scam, or just close the email because it took too long to read. The goal is to make the user curious enough about what is being offered to click the link.

The use of images in spam is also well known and has been going on for as long as it has been possible to send images in email messages. There are many reasons for using images in email, from simply making the email more interesting, or adding a look of professionalism, to attempting to evade text based spam filters and signatures. The use of remote images in particular has been steadily increasing over the last 16 months.

In remote images, the image is not actually contained within the email itself. Instead the email uses HTML to link to a remotely hosted image, which most modern email clients will render just like a web browser. There are good reasons a spammer would want to use remotely hosted images. First, they can change the content of a spam run at any time without having to update templates or make any changes to their bots. Second, with a remotely hosted image, the spam mail itself only has to contain a few lines of HTML, but the image can contain whatever the spammer wants. This makes the spam emails much smaller, which in turn allows their bots to send out much more spam per minute than they could if the image were attached. Also, a remote image gives the spammer the chance to avoid image filters as well as text filters in anti-spam. Remote images also allow the spammers to use web monitoring tools to track the effectiveness of their own spam runs. When the image is downloaded, the spammer can log all the same information about the victim’s computer as a legitimate website, including IP address, email client used, etc.

Spammers will try anything to get their target to click through to their websites, or part with their money. Any email from an unsolicited source that is personalized and contains an image should be treated as suspicious.

 Mathew Nisbet is a Malware Data Analyst at  Symatec Hosted Services

Share on LinkedIn Share with Google+
  • Gisabun

    REgarding the comment “a lot of websites now use email addresses as usernames”. That is true but just about any web site that you do register will still ask for your actual name.

    In addition, if you receive a phishing Email from a bank, why would the say “Dear jsmith” instead of “Dear John Smith”. It’s a dead giveaway that it’s a phishing scam. Or some one could be name John Smith but uses the login ID bighabsfan. So the guy will get “Dear bighabsfan” from a bank? Nope.