The second wave of the PDF spam phenomenon is here and it quickly rendered the PDF Spam Agent practically useless, due to its design that focused on the first outbreak only. In the past two weeks, we received many PDF spam reports (thank you!) and analyzed more than 100 of these by hand.

Unlike the first wave, the second one utilizes various software and technology for generating the PDF payload. It appears that spammer groups are experimenting with a number of tools, often the same stock pump spam was generated with 2 or 3 different software, from text2pdf to OpenOffice. Based on the email properties, I broke the samples into 11 groups that show distinguishing properties. The good news is that these properties are also different from that of legitimate PDFs, so technically we can adjust the engine to recognize them. It will take time, though and also we have a different focus now (Exchange 2007), but we are working on the new PDF Spam Agent version.

It took almost an entire year, 20.000 new and at least 5.000 changed lines of source, an unhealthy amount of coffee, but ORF 4.0 is finally ready to be deployed on your servers.

I would like to say thank you for everyone who helped to get this version released, including the ORF Feature Test Program members, the beta testers and last, but not least the ORF team. Thanks!

We just have released the first beta of our new PDF Spam Agent, an External Agent designed specifically to stop the recent PDF spam outbreak. It is a fairly simple program that categorizes the email as PDF spam if all of the conditions below are satisfied:

The email…

• Size must be less than 200kB
• Must have exactly one attachment, a PDF file
• Attachment size must be less than 100kB

The PDF…

• Must have only one page
• Must be version 3 (Acrobat 4.x)
• Must not have an info block
• Must have only one font embedded
• Must contain exactly one image

The image…

• Must have name /Im0 (most PDF generators define /Im1)
• Must be GIF (kind of… must have one filter called /LZWDecode)

I realize it is far from perfect and can be tricked very easily—this time, the goal was to reliably detect the current outbreak and differentiate it from legitimate PDF attachments, however. As the PDF spam phenomenon evolves, the above rule set will get deprecated and will have to get updates. This is why we decided to release the source code of the agent this time—I know many of the readers can code in C# and your reaction time is probably faster than ours. Feel free to modify the agent and/or move the project to SourceForge.net.