Empty Spam Messages: the Oft-Ignored Threat Lurking in the Shadows

Empty spam seems like a waste of time and resources for all parties involved, but its existence is part of more extensive plans devised by attackers who seek important information. Bitdefender’s telemetry shines a light on this relatively obscure type of attack that often remains hidden by anonymity and apparent uselessness.

When people receive an empty email, they tend to ignore it. It seems incomplete, or maybe the email was sent by mistake. But spam campaigns take effort and resources. “Someone” invests time and money to send spam emails, and they’re not doing it because they are bored. Everything has a purpose, even if the purpose of an empty email is not immediately apparent.

As consumers, we’re used to receiving spam emails that at least try to do something, like present users a link or even hide a malicious attachment. No alarm bells sound when we see an empty email, but they should. An empty email in the inbox likely means we’re targeted in a spam campaign.

The true purpose of empty spam

Empty spam has an obvious and insidious purpose: gathering information about the recipient and its availability. But not all empty spam is the same.

The simplest is an email with nothing but the subject, which sometimes could be a number or characters that make no sense. The role of this message is to determine if the email address is valid. If the sender doesn’t receive a message saying the email doesn’t exist, it means it’s a valid address, which is useful information.

In other situations, the spam email sends back a read receipt, telling the attacker not only that the email is valid but that the inbox is actively used and a real person opened the message.

Other times, attackers send an empty email with a subject line that makes sense and maybe even a few extra words in the body of the text, prompting the recipient to answer the email asking for more details. The attacker now knows that it can send a more direct phishing email, targeting the user directly.

More common than you think

Many of these emails are sent by botnets, sometimes automatically. Bitdefender’s security researchers analyzed a batch of 250 million spam emails gathered from our global honeypot network, discovering that 0.4% were empty spam emails. It might not seem like much, but when you’re dealing with hundreds of millions of emails, 0.4% means 1 million empty spam messages.

Bitdefender has also noticed two massive spikes in the past 30 days, with a couple of possible explanations. It’s likely that a threat actor is just testing a new botnet or functionality or it’s actually an indicator of an ongoing campaign.

We also managed to see how these emails are distributed globally. It turns out that only three countries are responsible for more than half of all empty spam emails. Brazil takes first place, with 44.27 percent, followed by Iran, at 10.23 percent, and the US, with 5.3 percent.

Spam emails won’t go away anytime soon, but it helps if users look at them as threats and not annoyances. Even if the bulk of these messages never reach their targets, with security solutions filtering the vast majority, some might still go through. After all, if they’re sent from a trustworthy domain and have no malicious links or attachments, they might seem legit. They’re not. If you ever see an empty email in your inbox from unknown senders, mark it as spam and remember that it’s actually someone trying to learn a little bit about you.