In the month of January, we reported a drop in .cn spam. This was due to changes in the domain registration process introduced by CNNIC. In the first week of February, the .cn spam volume fell further and fluctuated between 0 and 4 percent of total URL spam.

Another interesting trend was observed during this period. On January 21 the volume of spam containing the .ru top-level domain (TLD) spiked up to 9 percent, and rose further up to close to 40 percent on February 8. Upon closer analysis, it was observed that the .cn domains used in the health spam attacks had been replaced with .ru domains.

Various subject lines observed in the .ru version of health spam are as follows:

Subject: Dear xxxx Extreme 83% discounts
Subject: Your Future Order with 79% off retail
Subject: Sales Event get 78% off
Subject: xxxx Sale Day, save 80%!

The spammers’ move to deviate from using .cn domains is quite obvious: because of the complexity in registering new .cn domains. For now, there is no significant variation in the spam volume containing other TLDs. However, in the future, spammers may try registering domains that are easily available. Symantec will keep a close watch on variations in this trend to keep our readers informed.