Malware Email AttachmentsI recently was catching up on my email, and I was struck that there wasn’t a single marketing message with an attachment in my inbox. The only notes with attachments were transactional in nature: a receipt from a store I made a purchase from and a voicemail notification from my company’s phone system. Those transactional messages didn’t have any images, nor were they long with a bunch of offers. Sure, there were a few links to their website where I could find marketing offers, but no big call to action beyond the essential transactional purpose of the message.

Now curious, I also took a look at my spam folder. In contrast, it had quite a few messages with attachments that looked to be marketing. Upon further investigation, though, it became very clear that those seeming marketing messages actually contained malware. Yikes.

Now you may think, how does this affect me? “The attachments I send aren’t malware, so what’s the problem?” Simple: you might be lumped in with the bad guys because receivers will judge you guilty by association. Anything you do that looks even slightly like the behavior of malware spammers will hurt your deliverability. In this post, I’ll look at some popular techniques used by these bad actors.


First and foremost, the bulk sending of non-transactional messages with attachments has become a clear indicator to ISPs that your messages have a high risk of being malware. It’s hard to understate what a significant problem computers infected with malware have become for ISPs. When a PC gets infected, it’s often used for sending more spam, which harms the ISP’s reputation, eats up bandwidth, and degrades their network for their customers. When an ISP permits marketing or other bulk senders to send attachments, they’re taking a very sizable risk of exacerbating this problem.

Forewarned and forearmed, I picked apart the header of a message that purported to be from a well-known sender, USAA. However, I immediately noticed a major red flag: a lack of authentication. SPF failed, and there was not a DKIM or Domain Key Signature. It is important to do both SPF and DKIM authentications in order to get into the inbox. ISPs have made it clear that without it, you’re fighting an uphill battle, and at high likelihood of being disposed of as spam.


SparkPost understands the importance of authentication and therefore signs with SPF and goes the extra step of signing with DKIM for the sending domain as well as the SparkPost domain.


Moving on from the message headers of this spoofed USAA message, I saw that this spammer was trying really hard to convince me to open the attachment. Sure, the imperfect grammar was a good warning that something wasn’t legit, but a recipient who is a USAA member, and perhaps not reading carefully, just might fall for it—and then, boom, the spammer’s mission is accomplished. Those of us in the business may be a little jaded, but if this technique weren’t effective, it wouldn’t still be around after all these years. It’s a major reason ISPs have become more and more strict about blocking bulk messages with attachments.


As we saw, the example malware spam above was sent in mass, without authentication, and with an attachment. To maximize deliverability legitimate senders should strive to look as different from that profile as possible. In most cases, it is far better to send an email with no attachment and instead include a link for your recipient to click to access the content you otherwise would have attached. But, if you do find yourself unavoidably in need of sending attachments there are a few key things to keep in mind:

  1. Don’t send attachments in bulk. Instead, send them only in response to transactions initiated by your subscriber. If a subscriber is expecting an email, they are more likely to locate the message and open it, even if it’s in the spam folder.
  2. Don’t include images or marketing-centric calls to action. It’s OK to reference offers and point them to your site, but be careful not to look like you are attempting to slide in the attachment with a marketing message.
  3. Don’t send apps or executable files, as they will be blocked instantly. There is a host of file types that are not allowed by ISPs. Do some advance testing to make sure what you are sending will be accepted by the ISPs you are sending to.
  4. Watch your grammar and spelling. Content is looked at very carefully when sending attachments.
  5. Authenticate! This is a best practice when sending any message, transactional or commercial.

Even when following these best practices, you may still find yourself in the spam folder. If that’s the case, it may be best to throw in the towel and try another approach—like using a file-hosting service to handle the attachment.

Weekly Email Marketing News Digest

Increasingly sophisticated scams have found their way to our inboxes in recent months. With scammers upping the ante when it comes to cybercrime, it’s important to stay vigilante and implement the latest tactics in email security including DMARC, DKIM and SPF. Don’t let scammers feast on your profits or whittle away the reputation of your brand.

FraudWatch International Phishing Alerts

Not quite an article but here’s an interesting find. Want to know if that email you got from your bank is genuine? FraudWatch, a privately owned internet security company, publishes a frequently updated list on phishing activity complete with fraudulent email examples.



Massive-scale phishing attacks loom as new threat

If you work in the email industry, you’re no stranger to the terms phishing and spearphishing. But have you heard of the term “longlining”? Perhaps, if you’re an angler, you’ve heard of it being used in fishing, where lines that are miles long are embedded with thousands of individual hooks to catch fish.

Here’s an excerpt from the article on longlining phishing in the context of email scams:

“During a longlining phishing campaign, the attacker sends out email messages, or hooks, that are highly variable, in terms of content. These messages are individualized and appear to come from various IP addresses. They include a variety of subject lines and body content and dozens of unique URLs– all making it hard to track.

As with spear phishing, the malware is loaded by fooling the users into clicking on a URL embedded within these messages. To avoid user suspicion and web-security detection, these links don’t point directly to malicious sites but instead they point to trusted, legitimate websites that have been compromised by the attackers to host the malware. A single attack can employ dozens or even hundreds of compromised sites as malware hosts.”

In short? Longlining is a scam where emails with highly variable content are sent containing links to legitimate websites that have been compromised [Tweet This!].

Email + Phishing: Separating Scams from the Real Thing Can be Tough

Stephanie Colleton from Return Path points out examples of how some legitimate emails from brands can raise phishing alarms [Tweet This!]. Here’s one from Facebook that has a from address which looks suspicious: [email protected]


Stephanie also listed an example on how brands can sometimes send conflicting advice on phishing.




What are some other examples of confusing emails you have seen?

Spams, Scams, and Senders

Al Iverson adds on to Stephanie’s article with four additional tips:

  • Use DKIM authentication
  • Utilize DMARC
  • Think about from address and link domains
  • Think about email content

What is Scaring Businesses the Most? Spear-phishing.

Websense is a company that specializes in protecting organizations from the latest cyberattacks and data theft. They have a great article on spear phishing and a cool infographic on Top Phishing Findings [Tweet This!].



Feeling alarmed about phishing? Read other blog posts on email authentication. Or check out our webinar on DMARC!

Don't Deprioritize DMARC webinar


Don’t talk to ISPs about messaging threats. For them, the topic is old hat. Every day, ISPs are bombarded by messaging attacks, and each is one more targeted, more fiendish, more sophisticated than the one before. (more…)