The Christmas dip in spam levels is officially over. The period of relative botnet inactivity that started around Christmas ended on Monday Jan 9th with the return of many of the usual botnet generated spams. The spike coincides with the end of the Russian 10 day New Year holiday, or "Novogodnie Kanikuly."
We can attribute the rise in spam levels to the return of the usual botnet Viagra spam campaigns. One campaign we have seen little of since Christmas is the Canadian Pharmacy campaign with subject "<Email_Address> Viagra/Pfizer -xx% off." The actual savings promised in the spam subject vary from an appealing 60% off to a profit-prohibiting 90% off!
As usual, the campaign promises you cheap blue pills after clicking the link. While the spammers are using different .ru domains, most links use Viagra.com as a subdomain to confuse the user into believing this is a valid link. Naturally, abcde.viagra.com.spammer.ru is still part of the spammer domain, so you shouldn't click it. The abcde part of the domain is most probably used for tracking purposes.
Clicking on the link for takes us to a page that redirects you to Pharmacy Express, a variant of the usual online drug store. The site is hosted on a number of IPs located all over the globe, from the Ukraine to Colombia.
While earlier variants of this campaign came from the rather convincing firstname.lastname@example.org by spoofing the email address, newer variants use addresses that are either compromised or simply random; most probably to get around filters set to delete messages coming from email@example.com
This brings us back to the recent spam dip. Many theories have been flying around about the reason for the botnet Christmas inactivity — one of which is that the botnets were re-equipping and preparing for new waves of spam using new and improved methods. From everything discussed above, the new spam looks at least so far to be more of the same, but we will keep monitoring our spam traps for any changes.