Vintage Spam Recipes: Remixing Nigerian and HTML

By Matthew Hines  |  Posted 2009-07-07 Print this article Print

In the latest evidence that spam and malware techniques never truly die, they only go away for a little while, spammers have rehashed and combined two of their longest-running themes in a spate of recent campaigns.

Researchers with Symantec have noted the return of spam messages hiding their content in HTML code dropped into e-mail attachments, a long-popular obfuscation model that eventually ebbed in favor of other techniques like image spam, based primarily on its ubiquity and subsequent vendor focus on stopping the tactic.

And, harkening back to one of the spam world's earliest and most traditional social engineering formats, many of the new waves of HTML spam harbor 419 money laundering schemes, aka Nigerian scams, the researchers said.

Symantec experts highlighted that spammers have been using the HTML 419 approach in an array of different criminal activities, ranging from phishing to malware distribution to e-mail harvesting; the attacks will likely take on ever more varied strategies in the coming weeks and months as spammers work their way through the approach and security companies once again re-adjust their defenses to be on the lookout for the campaigns.

It seems that the industry is still sticking its proverbial fingers into the spam dam, with new variations on the same types of techniques spilling out anew whenever vendors seem to have temporarily negated some other stream of activity.

And with spam accounting for more than 90 percent of all the world's e-mail traffic, according to some estimates, the spammers are clearly flooding networks with so many different variants it's not all that surprising that some of their oldest tactics have become useful again.

"Spammers seem to believe that they don't always need to invent new strategies to enter a user's inbox -- they know they can utilize existing tactics with better results," Symantec Researcher Mayur Kulkarni said in a blog post.

By merely avoiding opening unknown attachments, and of course not subsequently wiring funds to Nigeria or wherever, end users can easily neutralize the campaigns' bite however, the expert said.

The involved message bodies predictably attempt to goad recipients into opening the attachments, another unoriginal and fairly obvious ploy.

"We have not found any major differences in the messages inside, when compared to similar attacks carrying DOC/RTF/TXT attachments," Kulkarni reported. opened the attachment to examine the actual message.

Some sample names of the attached HTML files include:

My shared file.htm Truth of the matter.htm View the atteched.htm my proposal to you.htm from rotimiahmed.htm this file should be downloaded.htm word from Daniel.htm read this attached message.htm

Spammers tend to flock to whatever methods are currently most effective, which means that some spam filters are missing the HTML attachments and that some users are still falling for Nigerian get rich schemes.

Sad news either way.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel