I earlier wrote about an eTrade spam campaign that morphed into a Bank of America spam campaign. Subsequent mutations saw this spammer use the same tactic over and over again, but slightly modify it. We saw LinkedIn spam and “You have a transaction” spam.
Now, the spammer has morphed again, no doubt because filters updated and blocked it. The newest technique is the following:
This is the same guy who has been operating for a month, sending out new spam blitzes every couple of days. Yet his tactics have changed. Originally, he sent out spam by using his botnets to connect to a second set of botnets to relay spam directly. Now his first set of botnets connect to Yahoo and send out spam that way; he has streamlined it presumably in an effort to get around IP blocklists.
The move to the subject line is curious. If it’s on purpose, and not because his malware is broken, he’s done that to avoid content filtering. However:
I really wish Google and Yahoo would catch this guy and shut him down.