Feb 25 2015 Update: New "eFax Report" spam this week with a dangerous link. MORE INFO HERE
We're blocking a massive wave of eFax spam today. We have seen campaigns like this before but this one is coming in huge volumes. The last time we blogged about eFax spam, it was a Dropbox campaign. This one is different.
How eFax Spam Works
eFax spam is becoming more common and arrives in different forms. eFax is an Internet-based fax service that lets others send you regular faxes that arrive as PDF files with an email notification. That makes it easier to get users to believe these are legitimate emails.
The scammer puts a link in the email that looks like it's going to take you to eFax. They want you to think the file is an incoming fax, so you'll download and "open" it. But the link doesn't take you to eFax. In this case, it goes to a hacked Wordpress page with something malicious waiting for you. Don't click the link.
About This eFax Spam Campaign
The emails in the campaign that we're currently blocking look like legitimate messages from eFax. Here's a shot of one of them:
As we've seen with other eFax spam recently, the logos and text look real. Adding to its credibility, the Home, Contact and Login links go to different pages on eFax.com. But the danger is in the main link in the middle of the email that the scammer wants you to click.
How We're Blocking This Spam
We're blocking this campaign based on various criteria. For example, the sending IPs are part of a botnet. We don't need to block the botnet IPs. We only need to recognize that none of them match the IPs that eFax uses to send legitimate email, according to their SPF records.
Also, the visible part of the "click-me" link does match the actual destination. In the example below from one of the emails, the link shows up as "https" and "www.efax.co.uk". But the actual destination is an html page under someone's Wordpress account that's been hacked (see below). The dangerous payload is probably installed on that page or it looks like an eFax login screen. So, we block this campaign based on that as well.
We Block Spam Differently
We don't rely on Bayesian Heuristics, which is used by many other spam filters. Basically, that technique looks at various characteristics of an email, giving each one a positive or negative score (or weight). If the total of all the scores exceeds a certain number, then the message is tagged as spam and sent to the quarantine. That approach has several weaknesses. The user can set the spam "threshold" number to make the program more or less aggressive, which you really don't want users doing. More importantly, those programs tend to block on short phrases or single words. That would not work here, because the keywords in the message (like "eFax") appear in a lot of valid email
SpamStopsHere works differently Instead of adding up bunch of scores, we have a series of filters that each message passes through, any one of which can positively ID a message as spam if it matches certain rules. The filters include IP blacklist, URL/Phone, Long Phrase and Pattern. There are no thresholds and no guesswork for the user. To learn more about these, you can read our interactive page about how we Block Spam.
We also have professional threat analysts who update our spam profile database few minutes 24/7/365. When a new campaign like this one hits, we recognize it as spam and start writing rules to block the hundreds, thousands, even hundreds of thousands of additional emails that come flooding in. Even if the spammers try to vary the emails a little here and there, we can block them. The more rules we can write, the better.
For More Info
SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.
Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.
"eFax", "Dropbox" and other marks are properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.