Sponsored by..

Wednesday 17 January 2007

Travelocity Template Spam

A couple of days ago, we saw a pump and dump spam using an Incredimail template to bypass spam filters. We pointed out that Incredimail messages could be scored as being somewhat spammy.

With a new twist, spammers are now using a Travelocity template [click image on right to enlarge] with an embedded image in the middle. Businesses are more likely to allow Travelocity mail than ones with Incredimail templates.

Clever.. but these messages don't come from a Travelocity email address, nor a Travelocity IP (whatever that might be). So, if you roll your own filters you can look for elements of the Travelocity template in messages that don't originate from Travelocity.

If you use Postini, add an inbound filter something like:
  • Select "Match All"
  • Body | contains | 1-888-709-5983
  • Sender | does not contain | travelocity
  • Set Message Disposition to "User Quarantine"

What's clear is that the spammers have found a new technique here and there's probably (sadly) quite a bit of mileage in it. Expect to see more variants of this soon.

No comments: