Spammer in Spamcop’s Clothing
Mon, Dec 03, 2012 by Andrew Conway
As you can imagine, spammers are not particularly fond of spam filtering services, but one of them decided to make it personal. Look what turned up in our spam filters the other day:
From: “firstname.lastname@example.org” <email@example.com>
Subject: Alert! Your email will be blacklisted soon.
We received complaints about spam coming from your network. Spam bots are sending bulk emails, for the security reasons your email will be blacklisted. To avoid blacklisting please check your Sent folder for unknown emails and prove that you are human by entering this code 0286 here. Your email will be recorded and spam flag will be removed. No other data will be collected.
Thank you for cooperation.
No, it’s not really from SpamCop, which is a legitimate spam filtering service owned by Cisco. And yes, it really does say Dear %email%. Apparently the spammer’s macro substitution wasn’t working very well. I’ve disabled the link, because if you followed it you ended up on a malicious page which tried to convince you to that you need to upgrade your Adobe Flash Player in order to complete the blacklist removal. If you went ahead you would download and run a Trojan which would make you part of a botnet.
It looks like all the malicious landing pages have been blocked now, so if you have any sort of security turned on in your browser or an up to date anti-virus program (as I’m sure everyone reading this blog does) you are safe against this threat.
Just for the record, the URL for the original SpamCop service is spamcop.net. Any message apparently from SpamCop that links anywhere else is not to be trusted, especially if it is addressed to Dear %email%.