After a fairly sharp decline from last year's high, there are signs that stock spam might be creeping up again. We've noticed a slight uptick in the number of symbols advertised, although volumes remain well down. What's interesting is that the new stock spammers appear to be exploring some new tactics.

The classic stock spam campaign uses spam pumped out in high volume from a botnet made up of hijacked PCs. The machines sending the spam typically connect directly to the recipient's mail gateway (a tactic that may eventually go out of fashion, if enough ISPs implement new recommendations from the Messaging Anti-Abuse Working Group).

Recent stock spam advertising FIMA.PK took a different tack. We saw four examples of this spam, all of which were sent through Hotmail mail gateways, and apparently posted from machines connected on IPs assigned to Microsoft Corporation. Spam sent through stolen Hotmail accounts, but in those cases the posting host was on a Chinese network. With such a small sample, it's hard to draw reliable conclusions, but it's possible that these spams were posted using malware tailored to compromise MSN accounts, counting on the 'good reputation' of Hotmail's designated mail servers to get the spam through where a post from a dynamic IP might not.

This morning's spam haul showed another interesting tactic. The message, advertising ASIC.PK, had the title Information from Crown Financial Ministries and analysis indicated that it had indeed been sent from the crown.org server owned by Crown Financial Ministries (apparently some kind of Christian financial advice site). Further inspection of the message suggested that the spammer had used an email form on the site to send their message.

Email forms that allow an unauthenticated user to order a third-party server to send out mail to other addresses are something of an anti-pattern anyway, being wide open to this kind of abuse. What's interesting about this approach was that the spammer not only used the resources and reputation of crown.org to successfully deliver their message, but that they chose a service whose automatically-generated subject line helped give the impression that the message was endorsed by some possibly reputable or authoritative organization.

Other recent spam promoting KLYG.OB again suggested that the spammer was trying some experiments. Subject lines used included both specifically stock-related lines, such as watch this microcapst0ck trade or Attention All Penny Stock Players, but also more ambiguous lines: Your Google listing in Ref: 2004/N/8421100811 and Your Friend. The messages included hashbuster text drawn from a wide variety of sources (including a couple that simply read Yours affectionately, CHARLES DARWIN).

The most interesting sample included a disclaimer that read in part:

Past performance is never indicative of future results We have received 1,000,000 shares for out [sic] advertising services. Third parties own stock and will sell those shares without notice to you, this could cause the price to go down.

The CEO of KLYG.OB has recently suggested in a press release that unknown individuals might be attempting to short the stock, so there's a possibility that this may have been intended as a short-and-distort attempt, rather than the more common pump-and-dump.

Last year's stock spam floods may have reduced the profitability of stock spam by generating so much coverage that the intended victims — naive investors — gradually realized that investing based on unsolicited tips from anonymous strangers might not be the smartest strategy. That doesn't mean that the stock spammers have given up, though, and there's some reason to think that they may be exploring new tactics aimed at squeezing a few last dollars out of the stock spam business.