Spam happens. On the Internet it's about as absolute as death and taxes are in the real world.
And while there are many different types of spam, one security analyst has found word patterns in the anarchic world of spamming to help e-mail users spot those dirty messages that evaded their spam filter. Two days ago, Mathew Nisbet, a malware data analyst for Symantec, posted an article on the MessageLabs Intelligence Blog that created a word cloud for a random sample of spam over a week. Nisbet found that most spammers limit their word choice to words that provoke an instantaneous reaction that overrides their critical faculties. The most frequent words used in spam e-mails Nisbet found were 'today!," "here!," "fingertips!," and "shipping!."
"As you can see, the popular words are fairly generic but all seem to be geared towards encouraging an immediate reaction, trying to get some sense of urgency," Nisbet explains. "This is further indicated by the fact that 5 of the top 6 words have an exclamation mark."
Next, Nisbet took a word sample of the spam pushed out by the top five botnets operating today—those software agents that conscript computers into zombie armies for nefarious purposes. (In the November 2009 issue of Security Management, Associate Editor John Wagley pointed at the RUBotted software to help users discover whether their computer is a zombie.)
As Nisbet explains, the universe of words used gets smaller, because spammers pay botnet operators big bucks to run specific spam campaigns. These campaigns tend to prey on a person's weakness for cheap and convenient goods and often use very few words to get them to click on a bad link. The largest words in these various campaigns include "discount," "supersale," and "fast." For instance, the most frequent words used by Bobax spam campaigns were "free," surrounding by smaller yet prominent words like "Viagra," "Cialis," and "Meds."
The repeat offenders in these word clouds (more can be found at the original blog post) should "serve as trigger words for identifying an email as possible spam," Paul Woods, a senior analyst at MessageLabs Intelligence, told Security Management.
Nisbet's most interesting finding, however, was the large amount of words used by the Cutwail botnet and the lack of any one word that really popped out.
Nisbet explains why this is significant. "With spam from the other major botnets, the only objective is to get the user to go to a website, so for this reason their spam contains very little text, maybe one or two lines, and a link," he writes. Cutwail, however, sends a sophisticated e-mail that uses good English, a wide variety of words, and a direct appeal to e-mail users' sense of security to get them to install an attached file advertised as a virus scan.
So why it's getting easier to recognize crude spam e-mails that use a few emotive words to lure you in, just remember that spammers constantly innovate like any good business.
Nevertheless, whether a spam e-mail's crude or sophisticated, Woods says there are a few good ways to identify a potentially harmful e-mail. Ask yourself these questions:
"If the answer to any of these questions is yes and it also contains one or more of the trigger words," Woods advises, "then the email is likely spam and should be deleted."
His final rule, however, will be hard for many with itchy clicking fingers: "As always, never click on links in emails."
♦ Spam word clouds used with permission from MessageLabs Intelligence Blog