Marshal Identifies New Word Document Spam

By | August 25, 2006

Marshal´s Threat Research and Content Engineering (TRACE) Team today announced a new form of spam that is hidden in Word documents. The new type of spam uses a combination of obfuscation and social engineering in an effort to bypass anti-spam software and spam-savvy email users.

This latest version of spam looks like a typical business email containing a Word document attachment. The email subject line and file name are also business related, so that recipients are more likely to open it. The message body contains little or no text but the Word document contains the spam message.

Users open the document expecting to find an invoice or purchase order and instead find a spam message.

Marshal´s TRACE team has identified over 100 examples of the new Word spam since it first appeared on August 17 2006.

According to the TRACE team, the new strain is being sent out from a number of different countries, indicating the spam is likely being distributed from zombie PCs.

“Spammers have traditionally avoided emailing spam as an attached Word document because not everyone has Word and the it makes the size of the email larger than normal, making it less efficient to distribute in large volumes,” said Bradley Anstis, Director of Product Management for Marshal.

“However spammers now realise that fewer regular spam messages are getting through anti-spam filters. They are turning to new ways of trying to circumvent them. In this case, they are accepting the penalty of increasing the message size in order to get more spams through the filters.”

MailMarshal takes a layered approach to identifying spam and doesn´t rely on one particular method. It used a host of techniques, including reverse DNS (domain name server) checks, header analysis, real-time blacklist checks, to detect this new type of spam.

According to the TRACE team, more simplistic spam solutions that rely on only one or two methods can be caught out by this spam type.

Leave a Reply