Spam Campaigns using underscore char to mask links

Recently we posted an article where we talked about how spam campaigns using the character of the space to mask the malicious links, it’s now the turn of the underscore character.

In recent days we have registered more than 800 spam messages that mask the links with the underscore character to bypass some antispam filters. The spam messages contained in most promotions of pharmaceutical products and in some cases even false software products.

The malicious URL is generally composed by 2 or 3 letters and by 1 or 2 numbers, the TLDs that are mostly used are .com and .net. In the following lines there is an example of a spammed url:

1
2
3
www_se57_net
www_se58_net
www_se59_net

Some IP addresses of those who have sent the spam emails are also present in the spam messages that were analyzed in the previous article, we assumes that this new spam campaign has been launched from the same botnet that launched the spam campaign using the space character to mask the malicious links

Random Posts

Previous Posts