by Bill Snyder

X-Rated Spam Coming to an Email Box Near You

May 25, 20124 mins

A nasty spambot called Cutwail is sending out porno spam in an effort to sell counterfeit pharmaceuticals. Clicking on it can turn your computer into a spam-spewing zombie.

I’m a guy, and as a guy sex gets my attention. But the kind of sexually oriented spam I’ve been getting lately is way over the line. Because my mail client, Thunderbird, catches spam but lets me see it before deleting it, I know what’s coming into my email box.

In the last few weeks, I’ve noticed that I’m getting 10 or more emails every day with subject lines that either promise a link to a site full of X-rated photos, or offer to help guys who don’t have confidence in their sexual abilities. I won’t be more explicit, but you know what I mean. And of course, I never click on the links the messages contain.

Nor do I make a practice of visiting X-rated sites where I might have been the victim of a drive-by. By coincidence, I recently spoke to a friend who never visits sex themed sites, and she has been getting the very same emails. This is odd, I thought, so I called McAfee, a security company that spends a good deal of time tracking trends in malware, to see if our experiences were simply random.

It turns out they are not, says Adam Wosotowsky, a messaging data architect with McAfee. After looking at a few messages I forwarded, Wosotowsky said it appears they are related to a well known spambot known as Cutwail. A quick Web search then told me that another security company, M86 Security Labs, noticed a large volume of Cutwail-generated spam back in February.

As I mentioned, I never click on links that are part of messages that are obviously corrupt, but researchers like Wosotowsky can, since they do it in a contained environment known as a sandbox. Much Cutwail spam, he says, is related to the sale of off-brand pharmaceuticals. Click on a link that promises nude pictures and you’ll wind up on a site offering to sell you drugs (medicines, not heroin or marijuana) at a huge discount.

Although it’s difficult to prove, Wosotowsky believes that pharmaceutical companies in India and China are the ones selling the drugs. Typically, they’ll find an advertising company to work with, and that company in turn will find an email distributor, who hires yet another company to actually email the spam using a botnet. There may even be a company hired to handle the billing.

It’s unclear who in that chain other than the company actually using the botnot is aware that something illegal is going on, says Wosotowsky.

Email Product Looks to Reduce Spam False Positives

Twitter Files Lawsuit Against Alleged Spammers and Spam Tool Providers

It’s important to realize that the drugs offered for sale this way are probably counterfeit. They may not work at all, or they could contain something dangerous. Given the high price of drugs in the United States, it may be tempting to buy them, but you’re taking a serious risk.

There’s something else going on as well. Botnets work by infecting computers, copying their address books and sending that information to the botnet server, which in turn uses the contaminated computer to send out the spam. That’s why you might get a note from someone you know that’s really spam. Your friend didn’t mean to spam you, but his or her address book has been compromised. Clicking on one of these links could turn your PC into a spam-spewing zombie.

You already know that you should keep your anti-virus programs up to date, and never click on a link or an attachment from someone you don’t know. But those counter-measures might not help if you visit a site that uses Flash or PDFs that execute automatically when you visit them and then contaminate your browser. One way to defend against that kind of attack is available to users of Mozilla’s Firefox browser, says Wosotowsky.

It’s a plug-in called “noscript” that stops those nasties from executing. Of course, most Flash on the web isn’t harmful and you might want to see it. If you do, noscript gives you the option of seeing it work one time, or every time you visit that site.