Spam Campaigns using underscore char to mask links
Recently we posted an article where we talked about how spam campaigns using the character of the space to mask the malicious links, it’s now the turn of the underscore character.
In recent days we have registered more than 800 spam messages that mask the links with the underscore character to bypass some antispam filters. The spam messages contained in most promotions of pharmaceutical products and in some cases even false software products.
The malicious URL is generally composed by 2 or 3 letters and by 1 or 2 numbers, the TLDs that are mostly used are .com and .net. In the following lines there is an example of a spammed url:
1 2 3 | www_se57_net www_se58_net www_se59_net |
Some IP addresses of those who have sent the spam emails are also present in the spam messages that were analyzed in the previous article, we assumes that this new spam campaign has been launched from the same botnet that launched the spam campaign using the space character to mask the malicious links
February 7th, 2010 at 11:16 am
I have added every conceivable spam word on my spamilator filter, and yet I am getting more spam than ever. Every word in the message is underscored in between. How can I stop receiving these linked together words in the messages, which are always spam??? How do you filter messages containing underscore marks?A.C.
February 16th, 2010 at 2:09 am
It is not easy to properly filter any message for spam since spammers use always new “tricks” to bypass anti- spam filters. You can filter words, but if the message contains a “normal” text and the spam message is inside an image, then it becomes hard to detect it, especially when the sender’s IP is always different…