This weekend, the stock spammers seem to have enthusiastically embraced a new technique for delivering stock spam, replacing the embedded images that previously accompanied their messages with a simple link to an externally-hosted image. Analysis suggests that there could be as many as three distinct spam gangs now using this approach.
From the spammer's point of view, the advantage of this technique is that messages can be made smaller and harder to filter. Instead of sending out a message that includes a bulky embedded image — and some giveaway tags that are easy to detect — they can send a smaller message consisting chiefly of hashbuster text and a single <img> tag that references a remotely-hosted image. Such spams are, a priori, difficult to distinguish from legitimate messages.
Napoleon Bonaparte reportedly said: Never interrupt your enemy when he is making a mistake.
. I won't go into the reasons why I think this isn't likely to be a long-lived technique, but I'll give a brief overview of how the spammers are currently using it.
The big issue, of course, is where to put the linked images. When spammers first started using the technique, they placed the images on free photo- and image-sharing sites such as imageshack.us. One currently active spammer is still doing this, using sharing sites to host spams pushing EFD.F (the Frankfurt Exchange symbol for US company Harris Exploration, which is also being promoted — as HXPN.PK, by a current plaintext spam run). Unfortunately for them, the abuse teams of the free sites seem to be both aggressive and efficient, so a lot of the spam images are getting taken down before recipients can see them.
Another option for spammers is to host the images on their own servers, where by 'their own servers', I mean of course other people's hijacked Windows PCs. The stock spammers currently pushing GPSI.PK (who are probably the spam gang that gave us a number of 'innovations', including supposedly OCR-proof animated GIFs and 'snow' images) have taken this route, registering a number of domains for the purpose. They then set up hijacked PCs as both nameservers and image hosts, in an attempt to provide redundant hosting. WHOIS information for the domains in question — vkcame.com, privacyprotect.org (which is shorthand for Hi! I'm a spammer!
) and list a dozen or so nameservers for each domain (shorthand for Hi! I'm running a botnet!
).
Spammers promoting T2Y.F appear to have gone for a mixed strategy, exploiting a mixture of free image hosting services and some apparently compromised domains. For example, one image is hosted on tomorrowsproductions.com, an apparently legitimate business. My guess would be that their hosting package (apparently provided by theplanet.com) includes a standard file-upload script installed at a standard location, and the spammer is simply exploiting that.
Incidentally, this should be a reminder to everyone: if you're using any tools provided by your hosting service, either lock them down or move/rename the scripts to make life a little harder for the spammers. Even if a loophole in a default install doesn't threaten your security, it can turn you into a service provider for spammers.
I don't think this is necessarily the spam technology of the future. There are a number of means of defending against linked image spam that could render the technique less effective in fairly short order. Nevertheless, it's clear that the arms race is continuing and the spammers haven't stopped looking for new techniques.