Spam sent via fake out-of-office messages

Posted by   Virus Bulletin on   Aug 11, 2011

'Sick leave' message followed by weight loss spam.

In an apparently new way of spreading their messages, spammers are advertising their products via fake out-of-office replies.

The example VB has seen involved a legitimate email which was sent with an (unintentional) typo in the domain name of the intended recipient. What came back was an 'out-of-office' message containing spammy links.

The message started off like a normal out-of-office reply, informing the sender that the recipient was not in the office. However, it continued by saying that the recipient was actually on sick leave, and that his doctor had recommended some diet products. There then followed a number of links and images that led to a web page with affiliate links to weight loss sites:

It appears that the misspelled domain name had been registered by spammers and was then used to send these fake out-of-office replies.

In this case, the images in the email were hosted on the recipient's domain, which is also where the links led. However, spammers could easily have used a third-party domain and would thus not have needed full control of the domain in question.

While it is questionable whether many users would fall for such a scam, this example shows that spammers never tire of finding new ways to spread their messages. Moreover, many spam filters are less likely to block messages from email addresses that have previously been corresponded with, and thus messages like this are less likely to be blocked by them.

Posted on 11 August 2011 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.