Long-running spammer Canadian Pharmacy has a new trick, which it has been using obsessively over the last few days. It consists of sending out messages that exactly duplicate notifications from popular services (Amazon, Digg, Wikipedia, etc) but contain URLs that direct recipients to the pharmacy site.

This kind of imitation (a form of aggressive mimicry) isn't new in the world of spam. Canadian Pharmacy has previously sent messages in which almost all the message text was duplicated from some other source, and only a tiny fraction consisted of the spam payload. But those messages were constructed so that the pharmacy pitch would be visible when the user opened them. With the most recent messages, the message looks like an email from Wikipedia (or Digg, or Amazon, or wherever) right up until the point at which the user clicks the link. Only then do they suddenly find themselves on a pharmacy site.

The actual links don't point directly to the pharmacy site. Instead, they point to pages on third-party sites that have been compromised. Those pages contain Javascript that redirects the user to the final destination, a pharmacy site. The mimicry and the redirection games have apparently led some analysts to identify the messages as phishing or malware (the ClamAV anti-virus scanner, for example, classified some of the spams as phishing, while one writer speculated that they linked to malware downloads. As far as I can see, they are not. In all the messages I have examined, the goal has been to deliver the user to the pharmacy site, not to infect their computers or trick them into giving up their passwords. Of course, that doesn't rule out the possibility of using the same techniques for malware delivery.

The goal of the approach appears to be, first and foremost, to fool spam filters. The message text is almost identical to that of legitimate messages sent in high volume by popular services. This means that it's less likely to get flagged by probabilistic filters at large ISPs. With the exception of the actual links, there's probably nothing in the message body to distinguish the fake messages from real ones. Secondly, by using the URLs of legitimate (but compromised) sites, the spams escape the attention of URI-based blacklists.

The scheme has a couple of weak points however. The first is that the spammers are still sending the messages from botnets, which means that blacklists that list dynamic IP addresses or known botnet PCs make short work of them. The second is that the spammers don't seem to have a very large set of compromised sites available to them. An entire day's run of spam - and these are high-volume runs - may point to the same landing page. That makes them vulnerable both to filtering and to takedowns. If the site owner wakes up to the fact that his site has been compromised and removes the page, the link is broken. This appears to have already happened with at least one recent run, for example. (Incidentally, there's an opportunity to educate people here: rather than simply taking down the redirection page, site owners could post pages that warn visitors that they have been tricked and provide links to anti-phishing education pages).

There are signs that the scheme is a 'work in progress', however. The spammers are already starting to introduce random elements into the messages to make them harder to filter. Moreover, other spammers have already demonstrated that it's not hard to compromise people's websites. Canadian Pharmacy could, if they wanted, draw on an almost infinite number of landing pages. As time goes by, they almost certainly will.

If the spammers persist and refine their tactics, filters may need to pay more attention to the probability of certain URLs or senders appearing in certain types of messages. Statistically, the likelihood of anything but an Amazon URL appearing in an order confirmation from Amazon must be close to zero. The likelihood of an Amazon order confirmation originating from anywhere but Amazon's servers really is zero. And so on.

At the moment, for all the effort that they've put into the scheme, it doesn't seem likely to be very effective. Almost all of the flood of messages seem to end up in the spam trap. Of those few people who see them and click through in the expectation of landing on a Wikipedia or Amazon page, very few are probably going to say "Oh, generic Viagra, I should get some of that". The success rate must be minimal, even by the standards of spam.

While the scheme probably won't generate much revenue for spammers, it may lead to legitimate messages being lost. Sooner or later, the flood of fake Amazon messages will cause filters to start rejecting real messages from Amazon. Once again, spammers break a useful service and inconvenience everyone.