Gary Warner has published an intriguing article describing how the UAB Spam Data Mine finds new malware threats delivered by email. Gary provides a step-by-step description of the automation implemented at UAB, using an example (this morning's Social Security version of Zeus). The procedure Gary outlines is very detailed, but not impossible for a human to repeat. In fact, I highly recommend studying it in the context of what any individual can do to reduce his own threat to falling victim of a malware download.
For example, the UAB spam analysis considers the Subject lines and Senders that arrive in 15 minute intervals and builds a picture over time of the prevalence of related themes or senders: in Gary's example, the repeated mention of "Social Security statement" in subject lines serves as a trigger. Related subject lines and senders are counted, and high counts trigger a more careful analysis. Can an individual follow this same sequence of actions and discern spam from safe email? Let's consider a real world example.
Last night, I received a stream of email from "CVS Pharmacy". The subject lines, however, were "Weekend is near", "Busy or just absent?", and other random sentences that phishers use to attract attention to their phish email. Looking at the message body, I see that the message is exactly the same, with each message containing a banner claiming "Delivery department work across the Globe."
At this point, the UAB spam analysis would visit hyperlinks in the suspicious message bodies and begin crawling for malicious executables buried amid the web pages. DO NOT VISIT ANY LINKS. Rather, at this point, I - and you - should be saying, "Warning, Will Robinson! Mark or delete the message as spam".
Note that while humans are not automatons, we tend to respond automatically given repetitive tasks. Phishers and spammers rely on the fact that many email users haven't been programmed to respond in the manner that the UAB spam analysis automation responds. Now that you've seen how relatively simple a "spam aware" response can be, apply it!
Congratulations to Gary for providing a relatively straightforward and painless way for readers to improve their defenses against spamming and phishing awareness.