Spamming, in most cases, is illegal. So it’s worth wondering what other bad deeds spammers are wrapped up in.

That’s why recent reports describing a spammer’s death were so intriguing.

However, according to McAfee researchers, the event was actually a hoax – and the website announcing the death was registered on Oct. 11, hours before the reports appeared on it.

“Plus, neither Russian sites nor Google have ever heard of this particular spammer (which would be impossible as he is depicted as one of the most prolific). And there is no trace of this murder case in the news, on TV or on the web. In a word – it is definitely a hoax.”
- Igor Muttik, McAfee Avert Labs Blog, Oct. 12, “Two dead spammers? Again.”

Alex Eckelberry, Sunbelt Software president and CEO, said on his company’s blog that the hoax site may be a ploy to infect visitors with malware.

“I wouldn’t encourage visits to this hoax site. There’s no malware on it and you’re not going to get infected. But given where this thing is hosted (and the fact that it is tracking visits), why bother? (If you’re seriously paranoid, you might even go so far as to use TOR to anonymize yourself.)”

From email attachments to gift cards to announcements about the beginning of the NFL season to online games – that’s what we’ve seen the Storm Worm do lately, switching email-lure tactics.

Both F-Secure and McAfee Avert Labs have screenshots worth checking out.

So, what’s next?

Spam hasn’t just been an IT security topic of late, it’s been the topic.

Why? Although most spam messages are harmless as long as the end-user knows how to use his or her delete button, spammers are showing quite a bit of innovation in crafting the junk email messages – more so that many virus-writers.

Lately, the most prominent trend has been spammers’ use of attachments to spread messages – mostly, in the past month, PDF attachments.

But those may now be giving way to another type: FDF files.

PDF spam, we hardly knew ye’…

Pedro Bueno, researcher at McAfee Avert Labs, has a rundown posted on the lab’s blog.

“Yes, say goodbye to the PDF spam wave and welcome the FDF stock spam wave! And yes, you will be able to open it with the regular Acrobat reader! Maybe to bypass filters based on file extension, the spam now is using the file extension .FDF, which is the format used by the data exported from a PDF form fields. The new spam will usually follow the format: -UserEmail.FDF, like GlobalTrading-pbueno.fdf.”

- Pedro Bueno, McAfee Avert Labs Blog, Aug. 10, “Goodbye PDF spam…welcome FDF!”

Eight is the magic number.

That’s how many PDF spam emails were waiting for me when I arrived at the office this morning.

So if you don’t believe the security vendors, believe me. PDF spam is spiking.

Unless, of course, those were legitimate proposals that I mistakenly deleted. In that case, I’d like to apologize to my friends Tobias C. Steele, Maximillian L. Reilly, Hugh O. Salas, Violet Clayton. Majory V. Gentry, Maude and Squad for trashing their emails.

Here’s what others had to say about recent jumps in PDF spam:

“We have received a number of reports from our readers indicating that they are receiving a large amount of pump-and-dump spam that contains no subject or body text. The emails do however contain attachments that have a .dat extension. Upon further review of the attachments, it appears that they are failed attempts at creating and sending a PDF file.

The attachments are the typical pharmacy scam spam. It is recommended that you just delete the emails. You may want to think about adding the .dat to your banned file extensions in your anti-virus programs at least until this round of spam has ended.”
- Deborah Hale, SANS Internet Storm Center, July 13, “Strange round of emails”

“Yes, PDF spams are now quite a common thing.

The easy way to recognize it is a big yellow square before the actual spam message…and the ‘Please Register this Version of PDFcrypt’ message…”
- Pedro Bueno, McAfee Avert Labs Blog, July 13, “New trend on PDF spam”

Spamhaus has enemies out there.

Last year, e360 Insight objected to the U.K.-based non-profit listing it as a spammer and filed an action in an Illinois court. Spamhaus did not appear and e360 won a court order by default, and then demanded that ICANN strip Spamhaus of its domain.

ICANN, of course, responded that it did not have the authority to take such action.

This week, Spamhaus is again staring down attackers, who are attempting to discredit the organization and DDoS their phone lines, according to the researchers at McAfee Avert Labs.

A few notes about the attack from McAfee:

“The spammer in this case also had to fake the sender’s address because Spamhaus’ SPF record is of the ‘-all’ variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bot’s ability to deliver further.

Obviously Spamhaus does not use botnets to send out promotional material.”

And here’s the text being used in the attack:

From: Christy June
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one”
Conversation: Which shalom myself magnetic
Subject: What shalom herself magnetic

WORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).

You can get MUCH MORE if you contact us:

The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx

Who wouldn’t want a free iPhone – or an iPhone free of a binding agreement to one voice service provider?

I would. But it’s likely that no such deals exist, unfortunately. But here are some details on scam emails and online advertisements that claim they do - as well as other swindles.

The PC Doctor’s Blog details recently discovered iPhone scams, one claiming “unlocked” iPhones are available on eBay.

“An iPhone but be free of AT&T? Dream on!
A number of “unlocked” iPhones seem to be on sale on eBay. Given that there’s no confirmed unlock method for the iPhone, their listings are either erroneous or deceptive. Many of the sellers, when questioned on this, seem to be retracting their statements about the iPhone being unlocked, but there’s still plenty of scope for buyers to be scammed into buying a phone that’s not suitable to their needs.”
- “iPhone scams to be wary of…” The PC Doctor’s blog, July 2

But the award for the most comprehensive webpage on iPhone scams has to go to ScamBusters.org, which predicts the top seven most common iPhone scams – updated post-launch.

“1. iPhone on eBay scams:
As we write the first version of this article on Wednesday evening, two full days before the launch of the iPhone, there are already 1,796 products listed when you do an eBay search for ‘iPhone.’

Our recommendation: Never open attachments from people you don’t know or that you aren’t expecting. Keep your anti-virus software and anti-spyware software up to date. Use a firewall.”
- “iPhone scams: ScamBusters.org predicts the Top 7 iPhone Scams,” ScamBusters.org, updated July 3

At the moment, researchers are unsure what to make of the former email filter-bypassing technique of the moment.

Most agree that it’s too early to write off this image-based menace of inboxes for good, but some image-spammers seem to have taken a spring holiday – or dismissed the technique all together.

A report on April’s email-borne threats from Symantec (reported here on SCMagazine.com) showed a 10-percent drop in image spam from March to April, when it accounted for 27 percent of all captured spam.

Three weeks ago, Doug Bowers, senior director of anti-abuse engineering at Symantec, told us that he wasn’t “convinced we’re seeing a significant decline just yet. I don’t think we have enough data to see if it’s a trend.”

Meanwhile, Nick Kelly, posting on the McAfee Avert Labs blog on Friday, said that in recent weeks, “there has been a significant reduction in spam that contains embedded images dropping from 59 percent at the start of April to 12 percent earlier this week.”

But again, don’t pop the champagne just yet. Reports of the death of image spam may have been premature.

“During the last 24 hours, embedded image spam has again increased to 31 percent of spam, so whether the pump-and-dump spammers were having a holiday during April and are now back at work, or if this is a temporary increase, remains to be seen,” he said.

Talk about putting the spear in spearphishing – or any other weapon for that matter.

The diligent handlers at the SANS Internet Storm Center have found another example of what’s now being called the 419 death threat scam.

Here’s the example caught by SANS:

“Hello, I wish to let you know that I have been paid by a client to assasinate you at convenience,and i have signed a contract of $650,000 yesterday for this.I have never met you before,but they gave me the full description of your identity and contact,together with your photograph which my boys have used to trace you.

We saw an example of this earlier this year, and while the scam is largely the same, the phisher’s spelling and grammar certainly hasn’t improved.

In case you didn’t already hate spam, here are two more reasons.

McAfee Avert Labs has spotted “how to become a money launderer spam,” which are literally job ads recruiting people who have some extra time on their hands and would like to earn some money, albeit illegally.

At Sunbelt Software, the researchers have the skinny on oxymoronic image spam, or “imageless image spam.” This new find arrives in email boxes as a short, message promising to detail the latest news from Wall Street. The link, however, leads to an photo detailing the latest stock scam.

It’s tough to believe that it’s been a week since the tragic deaths of 32 students and professors at Virginia Tech.

In that time, we’ve followed the story’s numerous information security angles, and we’ve found a lot of what we expected to find: Scammers and spammers will use just about any tragic story that’s received mainstream media coverage as a lure for malware or malicious websites.

So why bring it up again? Handler Tom Liston of the SANS Internet Storm Center posted today that spammers are sending messages across Europe claiming an “Asian national” has gone on a copycat shooting spree, and, of course, urging the reader to click on a malicious link for more information.

Liston sums up his (and most individuals’) feelings on the issue, complete with a fitting description of such scam artists.