Following the McColo network takedown, spam volume has been clawing its way back up. Our daily Spam Volume Index (SVI) – which measures the volume of spam arriving to a bundle of domains we monitor – has doubled since the low point immediately after the McColo shutdown on 11 November.
Initially we saw some revived activity from Rustock, which now appears to have gone quiet. On the other hand, Mega-D has bounced back and is now spamming heavily. Mega-D (a.k.a Ozdok) now has an updated spambot which no longer uses its former distinctive hard-coded template. Yesterday, spam from Mega-D made up some 48% of the spam arriving at our spam traps. It is now using this style header:
To: <lka@xxx.com>
Subject: Your order
From: <lka@xxx.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Interestingly, this is the exact same header template we saw Rustock use just prior to the McColo takedown – reinforcing the idea that the same group is behind both botnets. Of course, the other possibility is that there is a good deal of mimicking going on.
Note that the header uses the same From: and To: address. While not a new trick, this has been causing some problems to people who have whitelisted their own entire domains. In short, avoid doing this. If you are a MailMarshal customer, check out the anti-spoofing feature.
Thanks to the research team at FireEye for supplying us with an updated Mega-D sample.