MX Lab, http://www.mxlab.eu, started to intercept a spam campaign that is abusing iTunes to redirect users to the online site of Pharmacy Express.
The email messages comes from the address iTunes Store <email@example.com> that is obviously spoofed. Also email headers are being spoofed as well:
Received: from badger1402.apple.com (badger1402.apple.com [220.127.116.11])
by asmail.fitnet.biz with SMTP id 02903735943
for <*****@*****.be>; Fri, 1 Oct 2010 21:10:22 +0200
This what the message looks like. A perfect iTunes branded purchase receipt email except that all URLs lead to the online pharmacy web site.
Domains that are being uses:
As we write, new domains are being brought into circulation. All these domains are hosting the online pharmacy web site Pharmacy Express.