A few days ago, when reviewing our spam traps, we came across some normal-looking Canadian Pharmacy spam messages. The html is shown below:
The unusual feature of the spam was that some of the “Click here” links were all messed up and, instead of an http link, had references to SpamIt.com in the href attribute. Below are html snippets from three separate messages:
SpamIt.com is a secretive, invitation-only, group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called "Canadian Pharmacy". Recently, Canadian Pharmacy has been the dominant spammed program – by far. Our analysis from a few months ago found that links to Canadian Pharmacy sites comprised 60-70% of all spam, and is simultaneously spammed by most of the major spamming botnets. For anyone interested in a wider discussion of the Russian affiliate networks, refer to “The Partnerka – What is it, and why should you care? ” – it is an excellent read.
The Spamit.com domain is up, but naturally, requires authentication to access the site:
The spam samples themselves originated from the Xarvester botnet, which rose to prominence right after the McColo take down affected the major spam botnet at the time, Srizbi. However, nowadays Xarvester only represents under 1% of the spam we are seeing. Still, the above reminds us that SpamIt.com is very much alive and continues to use spamming botnets to push its wares.