Security Experts:

Connect with us

Hi, what are you looking for?



‘Chameleon’ Spam Campaign Employs Randomized Email Headers

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

A large number of spam messages recently sent from the same botnet were observed featuring randomized headers and even different templates, with some emails resembling phishing, Trustwave reports.

Emails sent as part of this campaign, which Trustwave security researchers refer to as Chameleon, originated from all around the world (a list of source IP addresses has been posted online).

Initially, the messages claimed to arrive from an ex-colleague and appeared to link to a “job posting” or “job offer.” New spam waves, however, included systematically different messages.

The spam messages had similar unique email header and body characteristics, suggesting that they came from the same botnet.

Despite originating from geographically distributed sources, the messages used similar unique SMTP transaction commands on connection and had a short and meaningful email subject, as well as a brief email body, although it sounded important enough to hopefully convince the victim to click on the link.

The email header in these messages had unique features too, such as the fact that fields like From, To, Message-ID, Content-Transfer-Encoding and Content-Type appeared in random order in subsequent messages, Trustwave notes.

Moreover, headers containing random text were inserted at different positions within the email header and the email body had random HTML elements at various positions, tactics meant to help evade detection from rule-based systems.

The security researchers also discovered that many of the lure URLs used in this spam campaign were linking to compromised WordPress sites, which the attackers likely used as part of their infrastructure.

The botnet’s activity involved regular bursts followed by long periods of inactivity. This suggests that the spambot was specifically designed to periodically change templates and continue activity with a different variation in an effort to evade detection.

“At this stage, we have not pinpointed the spamming malware behind these campaigns,” Trustwave says.

Some of the spam variants employed by the botnet include Google personal or private messages, email account security alerts, broken or undelivered email messages from a mail server, LinkedIn message and profile view notifications, FedEx delivery notifications, and airline booking invoices.

URLs embedded in the spam messages pointed to pages hosting the same JavaScript content, which then redirected users to other destinations, before getting them to the final landing page “,” which hosts a shady “Canadian Pharmacy” site.

The site, which had an active e-commerce cart system to make purchases and receive payment and shipping information from customers, was recently created and registered to a free Gmail email address.

Some of the spam links were observed leading to fake Bitcoin purchase sites.

“This sophisticated and transient infrastructure powered by a powerful versatile and distributed spamming botnet enables the scammer to launch any campaign with minimum effort. As of now the nature of the spam is centered around pill spam and fake Bitcoin spam, however, this could potentially shift to serve phishing or even malware,” Trustwave concludes.

Related: New Spam Botnet Likely Infected 400,000 Devices

Related: The Expected Spike in Post-GDPR Spam Activity Hasn’t Happened

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...