Nov 24, 2010 11:45 GMT  ·  By

Security researchers from Symantec warn that a new rogue pharmacy spam run uses HTML and CSS techniques to obfuscate text advertisements and avoid detection.

Pharma spam has been steadily making a comeback since Spamit, the world's largest rogue pharmacy affiliate program, closed up shop at the beginning of October.

A lot of campaigns seen recently advertise a rogue pharmacy called "Canadian Health&Care Mall" and are being sent by the Cutwail botnet.

The latest spam involves emails formatted in HTML, which use CSS floating and color declaractions to deobfuscate what looks like random text and show only the relevant parts to recipients.

The resulting message reads: "everyone has heard about lower-cost drugs from abroad drugstore. The difficulty is to find the reliable one. «CanadianPharmacy» is an experienced, trusted and fully-licensed Canadian online drugstore."

In addition to using text obfuscation in order to evade anti-spam filters, the spammers also try to trick URL blocking systems by linking to a Google cached version of the spam site.

The resulting link points to a location to a domain called googleusercontent.com, which is possibly whitelisted, instead of a rogue one.

This technique also cuts down on costs, because the spam pages can be hosted anywhere until they get cached, without a concern of them being taken down afterward.

It's likely that Google refreshes its cache much slower than researchers are able to react and get regular spam URLs offline, which gives spammers some extra time before they need to change links.

At its peak in May 2009, Cutwail was responsible for 46.5% of the world's daily spam traffic. However, the take down of a rogue hosting company called 3FN last year, affected many of its command and control servers and serverely crippled it.

According to estimates from Symantec, in June this year, Cutwail was sending almost 7.9 million of spam emails per day, accounting for 7% of the total junk mail output.