One of the oldest spammer tricks is the abuse of free email and web hosting services. The former allows them to hide behind a legitimate email service. The latter gives them an ability to host spammy images and content on otherwise legitimate domains.
One of the more recent trends is the abuse of AOL Mail and Microsoft’s SkyDrive services at the same time. The spam is coming from @aim.com accounts through the AOL WebMail system. It points to a randomly generated URL on bay.livefilestore.com to load the images containing spam content, i.e.:
This is an example of stock “pump-n-dump” spam using the technique. But we’ve also seen it used in spam promoting “viagra”, fake Rolex watches, casino, etc. The format of the messages stays the same, but the content (“hashbusters”) and the URLs are changing.
This campaign will be challenging for anti-spam filters that rely heavily on sender reputation technologies (no one will be willing to block AOL IPs). It may also create difficulties for URL and checksum based filters as they get heavily randomized.
In our case, the best approach was to use Sophos’s Spam Genotype technology. A definition consisting of non-mutating campaign features should detect all of these samples reliably.