Increase of Hit and Run Language Attacks with .eu Domains

Recently, Symantec has observed an increase in .eu domains contained within pharmacy and dating spam messages. The spam emails observed so far are predominantly in the German language. The specific patterns and characteristics demonstrate that the attacks employ a "hit-and-run" technique.

In "hit-and-run" attacks, spammers quickly rotate through the IP addresses and domains that are being used. Unlike 80% of spam attacks, these messages are not sent from botnets of compromised computers, but from mail server IP addresses with a previously unknown reputation.

Recent data obtained from the Symantec Global Intelligence network shows that the number of spam emails that contain .eu domains increased slightly in the first and third week of June. Furthermore, the number of spam emails containing .eu domains written in the German language increased considerably in the last week of June.


Closer examination of the messages shows that the majority of them contain similar subject lines, mainly in the German language. The subject of the spam email starts with the name and surname of the recipient, which is likely obtained from the recipient's email credentials. The recipient's name is typically in lower-case letters. This is followed by a comma, which is followed by a dating-related sentence, a pharmacy-related sentence, or a general note to check a message in the user's inbox.

We have observed the following subject lines being used:

  • anne orstad, Loreley zieht sich aus in der Porno Webcam
  • anne orstad, Tabea die liebliche 16 jaehrige
  • anne orstad, Nadja die schoene 16 jaehrige
  • eric berkhout, Karlotte das anturnende Freulein
  • grenchen, 1 neue Botschaft im Postfach von Nadinne bekommen
  • okermain, Eine persoenliche Message in Deiner Inbox von Jenice erhalten
  • anita skjelkvale melleby, Verifizierte on-line Swiss-Apo

The URL within the spam email contains either the word "sex" or "porn". It will also contain two or more dashes, which makes the URL quite unique.

We have observed the following domains within the spam messages:

  • [http://]
  • [http://]
  • [http://]
  • [http://]

All of the domains have recently been registered with the same company in France. The first name of the registrant for all of the domains is Evgeny. The name Evgeny is quite popular in Eastern Europe, especially in Ukraine and Russia, which leads us to believe that the spammers might be operating their network from these countries.

It is interesting to note that by omitting spam filters, the spammers are trying to masquerade as legitimate newsletters with the insertion of a List-Unsubscribe header at the bottom of the email. The presence of this header is very common for mails that are sent by legitimate email publishers and marketers.

Symantec will continue to monitor this type of "hit-and-run" attack and create additional filters to prevent our customers from receiving such spam messages.