One of the perennial problems for spammers is finding what the intelligence community refers to as 'clean skins': identities that aren't associated with known bad actors. For spammers, the problem is two-fold: they want their emails to originate from netblocks that aren't known to be spam-infested, and they want the URLs that they cite to refer to domains that aren't known as spam domains.

The development of the botnet solved the first problem. One of the advantages of using a hijacked PC to send email is that the mail will be shown as originating from a netblock belonging to a major ISP so that, other things being equal, the spam won't be rejected out of hand. There are exceptions to this, of course. Some of the blacklists list IP ranges allocated to broadband customers who should be using their ISP's smarthosts rather than sending direct-to-MX. In general, however, the botnet strategy has served spammers well.

The second challenge for spammers is to make their URLs look 'clean' as well. URIBLs will quickly identify messages that contain URLs referencing known spam hosts, or hosts located in spam-infested netblocks. So spammers need to find hosts that are 'above suspicion' and host their content there.

One strategy is to exploit a free service such as Yahoo! or GeoCities. Using hosting on a big provider with a lot of legitimate content means that the domain is unlikely to get listed in a URIBL. On the other hand, if the provider isn't asleep at the switch, they may start deleting the spam content. While the spammers can generally just create another account and send more spam, there's a danger that recipients who are foolish enough to click the link may eventually grow tired of being sent to 'This page has been removed' messages and might stop clicking spam links altogether. The spammers certainly don't want that.

So some spammers are turning to an alternative strategy. They simply hack someone else's server, upload their content and start sending out spam. Because the domains in the URLs belong to legitimate businesses, they're unlikely to be blacklisted already (although once the spammer has sent enough spam, the domain may well be blacklisted, causing problems for the domain owner) and provided that the owner doesn't notice that their site has been compromised, the spammer's gateway page can remain their indefinitely.

At present, we're aware of at least two spammers who are using this tactic. One specializes in child and animal pornography. Their chosen targets seem to be sites belonging to small businesses, often Latin American. It's likely that the sites all use some software package that the spammers are able to exploit in order to upload their content (rather than gaining full access to the server, the spammers are probably simply using a loophole in the installed software to deploy their content). URLs sent by this spammer typically end in 'alice' or 'hvideo'.

The other spammer apparently using this tactic is the Chinese pill spammer 'Canadian Pharmacy'. It's a little harder to pin down the kind of sites that they are able to exploit, but many seem to be Eastern European. Their URLs reference a document called '1.html', which then redirects to one Canadian Pharmacy's '.cn' domains.

The same approach has been used in the past by malware distributors, as well as some money transfer scammers. The latter have been seen to use tools that will modify entire websites to insert their own links or Javascript code on every page.

Theft of resources is pretty much standard operating practice for spammers. Nevertheless, this tactic should be a further reminder that spam has long ago crossed the line from a petty irritation to full-on computer crime. It's also a reminder of how much vulnerable software is out there, and of the necessity for website owners and hosting providers to keep an eye on their document tree using intrusion detection tools such as Tripwire.