The city is currently getting hit with a SPAM run mostly from oversea’s IPs, this isn’t exactly earth shattering news but I blog about it here because of an interesting phrase in the email, “[RBN Networks Antivirus]” Full SPAM here. I recommend you filter for that phrase if you administer an Anti-SPAM gateway. The acronym RBN makes most info sec people think about the Russian Business Network a loosely based malware purveyor/ISP haven for bad people. They haven been known to hock a fake AntiVirus product “XP Antivirus” great blog & link here which of course is not a product you want to use. The emails contain that phrase as well as a warning saying RBN Networks Antivirus has removed a virus and you should delete the email. This is interesting because most SPAM emails that I see don’t recommend you delete the email. I started thinking about the reasons they would do such a thing, could it be because once you get the email their task has already been completed? (ie. valid email address harvesting). Could they be trying to legitimize the AV product for when they SPAM links for download to the same people whose email addresses don’t return an SMTP error? There are also links in the word salad to what must be compromised webservers because the domains seem to have valid sites on them, however the sub-directory starts with a “.” and is full of random characters, so I’m guessing they (RBN) were able to put some kind of counter on the site to know when a users email client tries to resolve that URL which would also go far to verify if the email address was human monitored. This is only conjecture as I don’t really have time currently to investigate further. I’m going to submit to the fine folks at isc.sans.org and perhaps they will have some time to see what the latest RBN tactic is trying to do.