The second wave of the PDF spam phenomenon is here and it quickly rendered the PDF Spam Agent practically useless, due to its design that focused on the first outbreak only. In the past two weeks, we received many PDF spam reports (thank you!) and analyzed more than 100 of these by hand.
Unlike the first wave, the second one utilizes various software and technology for generating the PDF payload. It appears that spammer groups are experimenting with a number of tools, often the same stock pump spam was generated with 2 or 3 different software, from text2pdf to OpenOffice. Based on the email properties, I broke the samples into 11 groups that show distinguishing properties. The good news is that these properties are also different from that of legitimate PDFs, so technically we can adjust the engine to recognize them. It will take time, though and also we have a different focus now (Exchange 2007), but we are working on the new PDF Spam Agent version.
posted on July 27th, 2007 @ 07:34 pm GMT+0000
I can’t wait tell this is done as i keep getting the PDF spam :)
posted on July 28th, 2007 @ 03:27 am GMT+0000
Really looking forward to another version – several clients complaining about it.
posted on July 30th, 2007 @ 03:42 pm GMT+0000
Looking forward to it…
Let me know if you need more Samples! I have Pleanty!
Thanks guys! Keep up tht good work!
posted on July 31st, 2007 @ 10:32 am GMT+0000
Well, if you need samples, just let me know as well.
And another cute thing (it started this weekend): we’re being flooded by “.zip” ones as well.
posted on July 31st, 2007 @ 11:37 am GMT+0000
Yeah, I noticed that .ZIP spam, too. Also, image spam is now arriving in GIF attachments. Then the eCard worm/spam. Most of these are pretty easy to detect in a custom External Agent, it is really just a couple of lines of code. Now we’re trying to get these new PDF spam blocked and we’ll see what we can do about the rest.
posted on July 31st, 2007 @ 11:44 am GMT+0000
BTW the funny thing about the ZIP spam is that often they’re actually RAR files. Now either WinZip opens ZIP files when they’re RAR (I don’t use WinZip) or spammers expect the casual home user to look into the binary and rename the file.
What’s not funny is that spammers obviously found out that they can hide their message in email attachments. The format does not really matter, but if it goes on like this, we’ll have trouble catching up.
posted on August 1st, 2007 @ 01:18 pm GMT+0000
[...] There entire PDF spam recognizer engine was rewritten to deal with the new types of PDF spam and it detects most of them pretty well. We did not add rules for some less widespread/older PDF spam types that are unexpected to be repeated in the future, but still there are 8 new types of PDF spam that are caught by the agent. [...]