2015 has just begun, but we’re already seeing old problems crop up again – particularly the abuse of a lot of legitimate web sites. Since the start of the year, we’ve been seeing a significant increase in the number of spammed messages with links that lead to various Russian dating sites.
Figure 1. Sample of dating site spam
While messages of these types are fairly common, this recent wave is unusual in several ways. First, the level of dating site spam is higher than normal. On one day alone (January 4), we identified more than 150,000 email samples which had been received by our honeypots. These have been sent by more than 50,000 unique IP addresses.
The senders of these messages are also unusual. These types of spam messages tend to be sent from known spam-sending IPs. That was not the case here. These senders were sent from IPs that had not been used to send spam before. In addition, these IP addresses appear to be part of /23 or /24 IP address blocks, without any associated domain names (or meaningless ones).
These spam-sending IPs are located in a wide variety of countries. Of the more than 50,000 spam-sending IPs we mentioned earlier, only Iran has a double-digit share with 11.37% (more than 5,700 IPs). The rest are distributed across various countries, with Spain, Vietnam, Argentina, and Germany rounding out the top five.
The links in these spam messages do not directly lead to the dating sites. Instead, they pass through various message boards that contain spammed post with full-length versions of the pitches in the emails:
Figure 2. Spammed post on message board
(Click for full-size version)
These message boards do not appear to be complicit in these attacks; we believe they have been victimized by various bots that target these forums. Large numbers of forums have been targeted; in one day alone, we saw emails that sent links to more than 700 different forums. Sites that run on phpBB and Discuz!, both popular forum software, have been targeted in this manner. These sites are generally ranked as non-malicious, which may help evade spam filters.
While dating site spam is currently being sent in this manner, we can’t rule out further attacks that take advantage of similar methods to try and evade spam filters; we currently block these types of spam messages and will block any similar types that appear in the future.
With additional analysis from Jimmy Lin, Jon Oliver, Matt Yang and Yi Lee