As I mentioned in my last post, I'm seeing increasing numbers of stock spam campaigns that include both fax and email components, with spammers using multiple different email formats in attempts to get around filtering. The latest ones to jump on this particular bandwagon are spammers pushing LOM Logistics (LOMJ.PK), ClearVision Int'l (CVNI.PK) and Fire Mountain Beverage Co. (FBVG.PK).

I don't have a fax machine myself, so my knowledge of what's hot and what's not in the world of fax spam is mostly second-hand. The first I know of a fax spam run is usually when my mailbox fills up with messages from people asking me what they can do about all the faxes from company X or company Y.

What's interesting to me is the way that the spammers seem to be exploring all the possible options. On the one hand, you have fax spams (usually fairly tightly synchronized with the email campaign). On the other, you have emails that can themselves vary wildly in shape and form as the spammers look for a way past everyone's filters. For instance, the LOMJ.PK spam run opened with a rather austere GIF image spam (colored text on white), then shifted to terse plaintext in fractured English and finally settled on a longer plaintext version built around a press release. The FBVG.PK spams were all image-based this time, but the spammers rang the changes on the image several times. The current CVNI.PK run also appears to be image-only so far, but past runs have also used a variety of different plaintext formats.

Incidentally, I'm still far from convinced of the merits (from the spammer's point of view) of image-based spam. It takes more effort to filter overall, but plaintext spam - although easier to filter once you've seen one example - still seems to offer a better chance of getting that first spam through the filters. All the CVNI.PK spams, for example, went straight into the junkpile, but several of the LOMJ.PK plaintexts sneaked through untagged before I added a rule to nail them. In fairness, my situation means that I can afford to be brutal about suspect images. The big ISPs probably have to be more conservative, but even so it wouldn't surprise me to learn that they're blocking a lot of the chaff. Which may explain why the spammers have suddenly rediscovered the joys of the humble fax machine.

As far as I can gather, the actual payload doesn't vary much from medium to medium. In many cases, the image-based spams are simply rendered versions of the same message sent as plaintext, with a few random font and color choices and some obfuscation to make life harder for FuzzyOCR. The messages themselves are pure boilerplate — about to explode! scream the LOMJ.PK spams, $6.00 a share target! shriek the ones for CVNI.PK (where do they get these numbers, and does anyone really pay them any attention?). The whole thing has become so formalized that you almost wonder why they bother thinking up any text at all. Why not do like the MAKU.OB spammer a few months back, and simply send out images containing the stock symbol and nothing else?

I can't decide what to make of the fax spams. Are they a sign of desperation (filters are getting better, so spammers are trying something new) or a sign that business is booming (faxes probably cost more, and the junk fax laws aren't quite as toothless as the CAN-SPAM Act, so the risk is higher)? Either way, I suspect that they're likely to be a feature of the spam landscape for a while to come.