Just as the original spam – the tinned meat of 50 years ago - prompted people to wonder just what it contained, so too does the spam of the internet age. Bitdefender decided to look at just what spam – the e-mail version – contains. And we found out spam covers a lot more than pitches for Canadian Pharmacy wonder medicine and luxury goods replicas.

With 264.6 billion spam messages sent per day, roughly 90% of the overall e-mail traffic over the internet, the modern day spam is a lot easier to find – and potentially worse for your health - than the gooey meat of the older generation.

Apart from a crazy variety of products or services, these unsolicited e-mails also deliver attachments, ranging from HTML pages offering eye-candy advertisements for knock-offs to PDF “receipts” altered with 0-day vulnerabilities or even malware-laden attachments that subvert the systems they are downloaded on.

As the number of spam with malicious attachments grows constantly, we wanted to see what exactly cyber-crooks try to deliver along with these spam messages.

Over a period of two weeks, we collected over 2 million spam samples from different honeypots in different regions at different times of the day, so as to avoid seasonal campaigns and large bursts of the same campaign. This helped us grab a significant variety of spam messages to see what kind of attachments they carry around.

Two million messages may seem like a lot to the regular e-mail user: it is way more spam than they are probably going to ever receive. However, two million messages hit the internet every second.

Our results are as follows: from the pool of spam messages, 1.14% carries attachments. Although spam messages are potentially dangerous by nature (they can lure users to phishing, have them involved in scams or even rip them off in purchases of knock-off products / medicine), some specific attachments pose a greater threat to user safety.

A closer analysis of the attachments revealed that 10% are rigged with malware or carry phishing forms. This number may not seem that scary, but extrapolating to the full scale of the phenomenon - 264.6 billion spam messages sent per day would mean approximately 300 million spam e-mails with malicious attachments and phishing sent daily.

The attachment breakdown by type revealed that a considerable 29.74% is made of HTML pages (either phishing or commercial offerings), followed by archives (9.6%) and DOC files with 6.26%. Other common attachments are made of images, executable files, XLS spreadsheets; PDF and audio files gathering less than 1% from our 2 million spam samples.


Of particular importance is the presence of PDF files rigged with JSs and the DOC / DOCX collection. They are a known vector of infections at the corporate level since these file formats are commonly used in business operations and not blocked by default by the company’s firewall.

Most executable attachments were found to carry generic e-mail worms (Worm.Generic.24461 and Worm.Generic.23834), as well as generic viruses (Win32.Generic.497472 and Win32.Generic.494775). Other e-oddities identified in the attachments are calendar invitation requests for one-on-one business discussions with the spammer, audio advertisements, but also executable files infected with the 7-year old Win32.Worm.Mytob.C@mm mass mailer
notorious for the takedown of the CNN Live services on August 16, 2005.


Author: Alexandru Catalin Cosoi, Chief Security Researcher at Bitdefender.