Over the years spam has evolved through various stages. Over the last 2 years it’s been mostly classifiable into two main types
- Tailored 419 type scam email sent by individuals from throw away free email accounts
- Mass spam/viruses sent from millions of machines compromised with spam sending trojan software that contain their own SMTP email sending engines
The first type can usually be caught with content analysis systems that look for the tell tale signs of scams (large sums of money, etc). The second is usually caught by RBL type systems that list the IPs of known compromised spam system computers.
We’ve recently noticed a new type of spam. These spams come from well known email service providers like gmail, yahoo, aol and hotmail and appear to have been sent through these providers web interfaces, but there’s so many of them, they are clearly not done individually by people. Basically it appears that new spam trojan software running on users machines rather than sending the email directly, instead simulates a web user and goes to the websites of large email providers, signs up an account and sends some email via their web interface. This makes it harder to immediately block because the email appears to come from a large legitimate email provider, you have to trace back through the email headers to find the true source of the spam, and even then, currently most of the IPs of the compromised machines are not on RBLs yet.