My spam run is bigger than your spam run

For the past two weeks SophosLabs have been monitoring a specific spam campaign employing thousands of shocking subject lines, and a link to one of thousands of compromised hosts serving up malware.

This campaign has also changed the filename the spam message links to almost daily (r.html, main.html, news.html, about.html, start.html, viewmovie.html, begin.html, stream.html, watchit.html, fresh.html, hot.html, live.html, topnews.html, lol.html, and more..), likely to tempt admins to write rules to block based on this, only to change hours later.

Thankfully, nearly all the malware samples this campaign attempts to direct recipients to, were detected pro-actively as “Mal/EncPk-DA”, and we have employed spam rules to detect and track this campaign.

Sample from today:

MalEncPK-DA sample

Besides the somewhat entertaining subject lines and content, what makes this campaign particularly interesting to me, is the sheer volume of messages continually being sent, this specific spam/malware run consists of. Below is a graph that illustrates the percentage of all email sent to our customers this specific campaign makes up:

MalEncPK-DA hits

Over the past week or so, this campaign has typically made up 10% of *all* email received (and blocked, obviously) by our customers, with spikes up to 25-30%. This is not typical of most spam runs out there, which are usually just a *blip* compared to the total amount of spam being sent at any given moment.