Data Centers

PDFs become vehicle of choice for spammers


I don't know whether everyone else is noticing the same thing, but I'm seeing a steady increase in the amount of PDF spam. Along with this, the number of attempted deliveries (bounce and dictionary based) has increased a great deal.

The PDFs are fairly plain; a white background, small amount of text, and no graphics at all. So far all of the examples I've seen are trying to pump the stock of a company I've never heard of. Just as image spam levels have started to drop off, PDF spam has come along to take it's place!

From the spammers point of view PDF documents would seem to be a good choice with a majority of companies now using them for read-only document exchange, invoicing, and reporting. This means that mail administrators can't ban PDF attachments outright. Most of the PDF files used in the recent bouts of spamming seem to be the same, so checksums and additional filter rules may be able to stop them. It must only be a matter of time before we start seeing dynamically generated PDF documents? I don't think any of the popular anti-spam filters are able to analyse the contents of PDF documents just yet, so for a short while the spammers hit rates may improve.

Most computers have a PDF reader of one form or another installed. It's a file format that Mac, Linux, and Windows users are familiar with and generally trust. With exploitable vulnerabilities in popular PDF readers, I think the PDF document will have some tough times ahead.

22 comments
grax
grax

I never get any on my personal, free Bluebottle account! No filters, no wasted space or bandwidth; just verification. Spammers don't have timer for that. Hence, no spam. I prefer the quiet life.

nazario1974
nazario1974

Is a great product, a bit $$$.....It does read inside documents through lexical list.

olitech
olitech

I've seen a lot of spam in the past few days with a zip compressed file attached. I've never opened one, but the email looks very innocent, with fake sender name etc. There are also a lot of porn ads slipping through my ISP's spam blocker. Again, fake but legitimate looking return address with a porn URL posted in the text. Strachan

Dr Dij
Dr Dij

:) I'm happy because I've 'solved' the spam thing. (Almost). $19/yr yahoo email gives you 'disposable' email addresses. They are a 'base word' (keyword) plus '-' plus disposable part. the 'keyword' base portionis NOT emailable to directly so they can't just guess this and spam you there. Anyway, I've setup a bunch of these, one for each website / org I want to email me, and a couple for friends and family. The only thing you have to be careful of is to NOT send out email on your base address or your base address will be ready by trojans infecting your recipients system and you may get spam that way. Use as sending address the address you setup and intend the recipient to use. If you use that disposable address ONLY for one site and not for anyone else, if you get spam in on that address, you can notify that site or discontinue their use, cancel the email and use another. Another neat thing is that while they have filters, you have the option of having all email to that address put in a sept folder you name when it comes in. So you have neatly orgd email WITHOUT filters! I literally had to do this. SPammers were using a 'catch-all' ('nobody') address for my domain and not only sending spam email to me but sending out mass mailings with my (short) domain name forged as return address so I'd get bounces too. My spam has gone from 800 /day (which I had to automatically put in trash then 'trash-pick' out the emails I wanted to keep) to 5 a day. (I had to leave one actual email address on my domain). It's kind of strange, I actually feel less wanted! All these wierdos who I didn't know had subjects of 'Hi, how are you?' things like that. And a little less hated by stupid sys-ops who would send bogus email bounce messages to me based on the forged email return addresses. My home email uses eudora in text only mode so the PDFs don't bother me on the few remaining spams. I'll never see them if they put it in PDF.

bmarks
bmarks

I have been noticing the same thing as well. PDF and stock recommendations. I wonder if the spam filters can detect links in a PDF?

Justin Fielding
Justin Fielding

AFAIK the likes of SpamAssassin cannot read the contents of a PDF file. Some of the more expensive commercial applications may be capable of that.

JCitizen
JCitizen

and it isn't stopping it yet. But I notice different forms of other subterfuge are defeating their filters also. Up until 4 months ago they had very little get through.

Locrian_Lyric
Locrian_Lyric

is that two things happen. 1)That a law specifically covering the murder of spammers be enacted. 2)That the penalty for violating this law be a ten dollar fine (or it's equivilant overseas)

bheite
bheite

Yes, I have seen it too, in just the last 4 or 5 months. I have never opened any, since i do not generally open anything I don't know where it came from. If it is a pdf i expect, fine, otherwise, I just call it spam and delete. The other thing I have noticed is a huge increase in the same spam but from accounts labeled XXXXXXXXXX@yahoo.com (x being digits). Yahoo won't do a thing about it, as they do not pass domain keys and are just false addresses, but it is strange they do it in that form. It fills your spam blocker address list real fast. It appears to be an automated round robin address generator of some kind.

AstroCreep
AstroCreep

I started notcing PDF-based spam a few weeks ago and thought "Ah, that's just F'ed up!". See most of my user-base isn't exactly...'computer savy' and they think "PDF? Oh, well that's just GOTTA be a real message!". In all though I've seen a large increase in the amount of spam that's made it through my filter lately. It's quite unnerving...

JCitizen
JCitizen

At least my web-based account is still clean as a whistle; but of course I don't give it away to any Tom Dick or Harry.

Justin Fielding
Justin Fielding

Gmail are still doing well at identifying and tagging SPAM--I hardly ever get one slip in to my Inbox.

DetRellim
DetRellim

I have noticed this also. One of my jobs here is SPAM eradication. This may be an ugly new twist. So much for the mighty US Goverment and their laws outlawing SPAM. Just don't seem to work. Does any one know of a program to hande this yet? We are using SPAM Assassin on the servers and Cactus Spam on the work stations. This seems to be holding up for now although I am starting to see more coming through on the workstations. Apparantly it's the PDF versions.

TexasKAT
TexasKAT

We are using an IronPort C150 for our email filtering. So far, it has caught all of the pdf spam without having to adjust rules or block attachments.

Nodisalsi
Nodisalsi

As a rule I never open messages or *any* attachments from senders I do not know; and the sender's email can still be prohibited in any case. But in any case, thanks for the tip.

Litehouse
Litehouse

Yeah, I've been seeing those PDF spams as well. But I have yet to open one of them. So I didn't know if there was a trojan hiding in there or if it was your standard spam.

Shellbot
Shellbot

delete delete delete..works for me query: those who use Gmail, anyone ever tried any of the Spam recipies that are at the top of the page when yer cleaning out yer spam folder?? I know its gotta be gross..but am tempted to try Spam Breakfast Burritos. ya just never know right...

JCitizen
JCitizen

I belong to several job search companies and it is not unusual for me to get legitimate job information from partners whom I may not immediately recognize. About three months ago just before this latest spam surge, I get one of these where the page looked VERY legitimate, and only had a text email address to send to. I still smelled a rat for some reason so I did a WHOIS search on the sender domain and it was from the east bank Palestinian territories! Well I didn't have time to contemplate this but it would be serious if smart terrorist would somehow be compromising IT workers worldwide. Later the WHOIS search found a completely different source - apparently WHOIS is not completely reliable or the domain changed recently. At that time I also did a check on the email address domain that was provided as a contact address, and it looked like a completely legitimate email service domain. By now I am so curious I decide to answer the contact address just to see what happens; NOT giving any personal information of course. And of course that is when this latest PDF spam surge hit and I was blaming that on my test. It was a junk account that I am getting rid of anyway so it was no loss; but I would warn readers that the spammers are getting extremely crafty using social engineering. Using legit looking source addresses and including text that sites actual legit looking company names that match the source file, ect. A guy is just going to have to be way selective on what comes in the mail ESPECIALLY if it doesn't have any, pictures, PDF, or hyperlinks. As this is usually what tips the user off to be cautious, smart spammers are leaving this out and going to plain text. Fortunately IE 7 wouldn't even allow the pages to open after pasting the spam site URL into the address bar; but I wouldn't bet this feature will always protect the email victim.

Editor's Picks