Beyond the botnet

As reported by Shara Grifenhagen over at Commtouch, spammers for the last week have been abusing not only Google Docs (again) but also what appears to be a “recommend this to a friend” mechanism at ZDNet’s web site, somehow finding a way to launch a variety of campaigns via CNET’s mail servers (216.239.112.0/20):
SampleReceived2
SampleReceived2

Here is a related sample posted to NANAS indicating others are seeing the same issue.

Like the Commtouch blog described, the spammers are sending med spam via Google Docs links:

SampleCNETGoogleDoc2
SampleCNETGoogleDoc2

In addition to the increasingly rare “Pump and Dump” stock spam:

SampleCNETStock2
SampleCNETStock2
And even “Pills by Phone” med spam:
SampleCNETPillsByPhone2
SampleCNETPillsByPhone2

These messages have been hitting out traps intermittently between the 12th and 16th of January. We notified CNET’s abuse department last Friday but have received no response (besides an immediate auto-ack). Meanwhile, the campaigns stopped the same day, but the cause is unknown. Adam O’Donnell’s response to Shara on the ZDNet blog, though, may imply they’re still not aware of the real extent of the problem — either that or their abuse department doesn’t talk to their security bloggers…

With last year’s highly publicized take-downs of rogue hosting companies, and the allure of the positive reputation of senders like CNET, spammers have likely started thinking about life beyond the botnet. It’s clear even Internet technology leaders like CNET can’t afford to let their guard down in the fight against online crime.