Spammers are constantly trying new ways to bypass filters to deliver spam. One of the more typical methods is the use of word salad spam, wherein spammed messages are filled with random words. We recently noticed a spike in salad spam that’s circulating in the wild. Aside from the sudden increase, what’s interesting about this particular spam run is that it uses exact sentences copied from Wikipedia articles.
For example, in the spammed message below, the first sentence is “Knipe taught his Hawkeye team 75 new plays in one week.” That sentence comes from the Wikipedia article about the American football player and coach Alden Knipe. The second sentence, “As a result, wine consumption in Australia has greatly increased as of 2006.,” comes from the article about cleanskin wine. The last sentence, referring to the House of Blues and the Theatre of the Living Arts, comes from the article about the Verizon VIP Tour.
Figure 1. Sample spammed message
This seemingly normal content may ensure the delivery of the message alone. However, the spammers took it one step further by forging the From form field, making it appear that the email was sent from the recipient’s email account. This adds a layer of legitimacy to the spammed messages.
Further analysis of the email samples show that this spam run is distributed by computers infected by the Kelihos botnet. This botnet is known for spamming and Bitcoin theft. Our research indicates that these messages were sent from a variety of countries, including Argentina (18%), Spain (17%), Germany (11%), Italy (11%), and the United States (10%).
Even though the Wikipedia salad spam may not be malicious—it can be described as a “nuisance” at best—the technique shows that bad guys are still refining known spamming techniques. While there was no malicious payload for this particular spam attack, the same could not be said for future spam runs. Users are advised to be cautious when opening emails. A good rule of thumb would be immediately deleting emails from unknown senders.
Trend Micro protects users from these threats.