Ebola Email Scam and Other "Miracle Cure" Spam Could Hit Big Soon

We're blocking a few ebola emails and related spam with various subject lines and body text like "Avoid Ebola". They link to websites looking to charge your credit card for some bogus miracle drug or cure. Volumes are light so far, which means the scammer may be testing for weaknesses in spam filtering now; preparing for a big blast soon.


About This Ebola Spam

Ebola spam is only one variation in a larger campaign that we're seeing. Subject lines of the emails include:

  • A PROVEN Cure for Disease
  • What you need to know about the deadly Ebola outbreak
  • This Simple Action Poisons Your Organs (On National TV)
  • Why Eating Salad Makes You Old
  • 3 Step Neuropathy Miracle Cure
  • New Disease Curing Breakthrough Revealed
  • Use Oxygen to Reverse Your Illnesses
  • Some Diseases You Thought Could not Be Cured
  • 3 Step Neuropathy Miracle Cure
  • Use Oxygen to Reverse Your Diseases
  • 5 Diseases You Thought Couldn't Be Cured
  • 3 Step Neuropathy Miracle Cure

One of the Ebola spam variations looks like this:

Ebola Email Scam - October 2014

Most of the emails are what we call "Offer Spam". Some mention ebola, some don't. Regardless, they include a "click-me" link to a "My Miracle Cure" or similar website, where you're shown a slideshow and asked to Order Now. The page looks somewhat legit, with its Privacy Policy, Terms of Use and other links.

The ordering page has secure payment logos and even a valid SSL certificate. It allows payment by credit card or through Pay Pal. It will take your money, but the product you receive, if any, probably won't cure anything. No legitimate business sends out spam like this to reach new customers.

What is Offer Spam?

Offer spam is an email with an urgent message trying to get you to purchase something on the spammer's website. The offers are usually about a current health-care story, drug or fad (like Viagra and Green Coffee Beans) and often claim to be quoting someone like Dr. Oz.

Although sometimes they will actually ship you something, they are still spam -- unsolicited emails sent in bulk. Legitimate businesses do not operate that way. Many are pure scams, advertising some fake cure and will send you nothing after charging your credit card. And then they have your credit card info.

Don't Let Small Numbers Fool You

So far, these emails have appeared in very small volumes, which might cause IT admins and even some antispam vendors to ignore them. That would be risky. We've been noticing a trend recently where a few emails like these trickle in for a while and then suddenly, often at night, a massive wave hits.

It looks like spammers are testing for holes or weaknesses in antispam filtering, maybe seeing which emails get through (and possibly deemed legit by heuristic algorithms). Then they bombard email servers around the globe with a huge wave, especially when they think fewer people are watching, like at night. We don't take chances like that and block spam no matter how large or small the volume.

How We Block This Spam

We're blocking these emails and other spam using several methods:

IP Blacklist
Some are coming from servers with IP addresses that we know are blasting out spam. So, we blacklist those until they are disinfected.
URL Filtering
The "click-me" links in the emails go to websites that we know belong to or have been hacked by the spammer. So we block the emails that include those, even if they are coming from newly-infected servers. We don't have to wait for RBLs to be updated.
Phrase Filtering
Occasionally, the IP and URL filters won't catch spam like this (coming from newly-infected servers and with new URLs), so a third line of defense is our phrase filter. I can't tell you what the phrases are that we're blocking on. We don't reveal information like that, for obvious reasons. But I can tell you that we do NOT block on individual "trigger" words (like "ebola") that are in a lot of legitimate email. Our professional threat analysts know how to recognize and block on the long phrases and variations on those that will only appear in spam.
Pattern Filtering
This is our fourth line of defense that catches the rare spam that makes it past the first three filters. It recognizes the HTML tricks that spammers use to evade other antispam systems. And we update our database with new tricks whenever we see them.

Now if/when the spammers decide to blast these out, we're ready. Even if they send out entirely new messages, we'll be able to detect them almost instantly, further protecting our customers.

An important difference between SpamStopsHere and heuristic antispam, is that each of our filters (for example, the ones above) can independently identify an email as spam. If so, it is blocked. End of story.

A Note on Heuristics

We don't rely on heuristics, which adds up various weighted characteristics to guess the likelihood an email is spam and only blocks it if the total exceeds a threshold. Also with heuristics, the user can change the threshold to make the program more aggressive, but that tends to increase false positives (legitimate email flagged as spam), making users constantly check their quarantine (junk folder) for missing email. We believe heuristics is outdated for spam-detection.

Exceptional Anti-Spam and Secure Cloud Email for Business

SpamStopsHere was designed for business. Our live spam review team analyzes and blocks threats 24/7/365, so we can filter out 99.5% of spam and still deliver 99.999% of legitimate email to our customers. It's cloud based, secure and easy to use. There's no additional hardware or software to buy, no maintenance, and no tuning required. Get more info here.

SpamStopsHere and our other secure Cloud email services (hosting, encryption and archiving) also come with 24/7/365 live support.

If a conversation about secure email makes sense for your business, give us a call, chat or email anytime. We're always here. 24/7/365.

www.GreenviewData.com | 800-458-3348 | 734-426-7500 |

Note: Third party marks are the property of their respective owners. No endorsement by third parties is implied and none should be inferred.