MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign by email with the subject ”Delivery Notification”. What appears at first as a simple email notification is in fact a spam campaign for the Canadian Pharmacy.

The message is sent from a spoofed email addresses like:

Notification-15955 <lwnfc@vowyg2kynvx4.veridomlegal.net>
Notification-07997 <cwujg@fgoorlgaxle7.veridomlegal.net>
…

The body of the email only contains a link to a web site:

http://www-48023.outdomnovolume.net

http://www-35051.outdomnovolume.net

….

The 5 numbers inside the web site address change with every email but always shows the web site of the Canadian Pharmacy:

The domain outdomnovolume.net is registered a few days ago according to a WHOIS is with the following details:

Domain name: outdomnovolume.net

Registrant Contact:
   Xicheng
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Administrative Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Technical Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Billing Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

DNS:
ns1.dnsfopiq.com
ns2.dnstow.ru

Created: 2011-03-19
Expires: 2012-03-19

• Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
  MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai...
• Large spam campaign “Unread messages” from Twitter leads to pharmacy sites
  MX Lab, http://www.mxlab.eu, started to intercept a large spam campaign with the subject “Twitter – You have X unread message(s)”, where the X is a number from 1 to 3,  that leads to...
• More ACH Spam from NACHA
  While we wait for the Japanese Earthquake scams to begin, we noticed another on-going spam campaign. We wrote about the ACH Transaction Rejected spam back in February, but another round is active, wi...
• New types of online pharmacy spam
  Just when I started to think that the new spam mails are getting increasingly fancy, I found out to be wrong: The email below has only one GIF picture attached to it and the website address is written...
• Spam from Egypt vanishes after cutting off internet access
  If there is any doubt as to how tightly internet communications have been restricted in Egypt, SophosLabs has produced some interesting statistics. In the process of analyzing spam, one of our Vancou...
• Warning About Spam Fake, Not from Facebook
  Facebook is undoubtedly the highest-profile social networking site around with more than 500 million active users, half of whom log in on any given day. It shouldn’t be a surprise therefore that its ...
• iTunes abused in spam campaign that redirects users to online pharmacy
  MX Lab, http://www.mxlab.eu, started to intercept a spam campaign that is abusing iTunes to redirect users to the online site of Pharmacy Express. The email messages comes from the address iTunes Stor...
• Canadian Pharmaceutic Spam – 23-Aug
  203.113.112.249*.discountrx-pills.com*.healthcanadadrugexchange.net*.heidromcem.com*.ionpharmacyonline.eu*.leardutty.com*.ljovquhfimt.com*.lower-pricemeds.com*.medsusatabletsdirect.net*.mssmartstart.e...
• Flickr welcome message leads to Canadian Pharmacy web site
  Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers. MX Lab started to intercept messages with the subject “[Fli...
• Twitter, Canadian Pharmacy, and Undetected Malware
  In our post earlier this week, IRS Malware Notice of UnderReported Income, we had a footnote about a current Twitter and YouTube spam run. Our friend Graham Cluley has labeled one version we mentione...