Stock spammers playing around with payload

This is a trend I have noticed in the past week.  Over the weekend I saw that stock spam had been piling up but spammers were not just sending it as images - they were sending it as text.  Normally ("normal" being a relative term), spammers compose image stock spam by typing up their pump-and-dump message in various fonts with various colors, copying that to an image with random background colors and then inserting random dots into the image.

This latest stock spam is just like that except that the text is not within an image, it's all HTML.  It's image spam without the image.  Similarly, last week they were sending stock spam with a link to a page that contained HTML stock spam just like what I got in my inbox - image spam without the image, just a link going to the imageless image.

I have some theories as to what is going on:

  1. These are newbie spammers who haven't figured out how to embed their spam in images yet but have heard great things from others who have done it.
  2. Spammers have some broken spamware.
  3. It's deliberate - spammers are mixing things up.  They may have stopped having as much success with their image spam so they are going old-school back to plain old text spam.  They are testing to see if this gets through filters any better.

If it is point 3, I would say that it's clever but probably not going to help very much.  Spam filters build layers of protection on top of previous layers; previous layers are not stripped away when new ones are introduced.  I am wondering just what they are up to, however.  Stock spam is a problem but clearly spammers have figured out that sending stuff in images works (that is, it appears to work).  To revert back to an older technique is unusual.