It’s the last trading day of 2011 (Friday, Dec 30 – although I am informed that it started yesterday) and what do I come into work to see? Spam spoofing eTrade.  Here’s a sample message:

From: <redacted >
Sent: Friday, December 30, 2011 7:18 AM
To: <redacted>
Subject: Etrade Alert: URGENT update

More information here <link to an http://goo.gl/ page>

There is very little content in the message, only a message from eTrade informing recipients of some market condition with a single link in the message body to a goo.gl redirector.  Here are some of the subject lines:

• E-trade: Bill payment canceled
• Etrade Alert Balance changed
• E-trade Alert: Market closed
• Etrade Alert: URGENT update

Peeking into the message headers, the spam either uses a series of bots to deliver the message.  This is a spam campaign where they put in some effort:

1. The spammer uses a set of bots to host the malicious site where the URL service points to. 
2. The spammer uses a second set of bots to use Google’s URL shortening service.
3. The spammer uses a third set of bots to send the original message.
4. The spammer uses a fourth set of bots to receive the original message and then forward it onto the intended recipient (a spambot behind a spambot).  Sometimes they even use a fifth set of bots to forward the mail again.

As much effort as I put into blocking spammers, they are on the other side tweaking their spambots to hide behind multiple layers of legitimacy.  They know we perform URL scanning, so what do they do?  They use a legitimate redirector from Google.  They know we use IP blocklists, so what do they do?  The relay spam from behind multiple bots.

The battle continues.