This alert has been triggered due to an increase in a specific spam attacks affecting our customers globally. The attack this report will be covering is:
Starting around mid August we had Snowshoe/Hit-and-run style spam impacting customers. This spam threat is known for exploiting spam definitions propagation latency by sending large volumes of spam messages in short bursts where domains are quickly rotating and the sending IP hops within a certain /24 range.
In addition, the body of the message, usually html, contains text with heavy randomization, interspersed with normal html code, to make it more difficult to create effective, long lasting detection mechanisms.
By its very nature, detection of this type of spam relies significantly in Symantec receiving variations of missed spam messages, in order to adjust or create new filters for these, either through Symantec’s own probe network or submission directly from customer affected.
Samples of recent Subjects found for this type of spam:
2014 Models Overstocked (Ride for half)
Everything below Kelly Blue Book
Restore your thin hair back to normal
Select a 2014 (Ford)
Organic treats food 75% off
Re-grow your thinning hair back to normal
Summer savings catcher - ($100 card for you)
Your online rewards are going to expire soon (COSTCO)
Actions being taken
New filters have been created against the attack.
Existing filters are been adjusted to block new variations.
Ongoing analysis into the origins of these attacks continues and there have been several adjustments made to our reputation data to effectively block these messages.
If they are any customers that are continuing to see this type of attack, please ensure you are following best practice configurations and also submitting samples to us. (See TechNote 83081).
Symantec Message Gateway customers can also leverage Customer Specific Rules, both as an additional possible method to filter these messages and at the same time provide us with further visibility into the attack.
Further information on Global spam statistics can be found on: