The second wave of the PDF spam phenomenon is here and it quickly rendered the PDF Spam Agent practically useless, due to its design that focused on the first outbreak only. In the past two weeks, we received many PDF spam reports (thank you!) and analyzed more than 100 of these by hand.
Unlike the first wave, the second one utilizes various software and technology for generating the PDF payload. It appears that spammer groups are experimenting with a number of tools, often the same stock pump spam was generated with 2 or 3 different software, from text2pdf to OpenOffice. Based on the email properties, I broke the samples into 11 groups that show distinguishing properties. The good news is that these properties are also different from that of legitimate PDFs, so technically we can adjust the engine to recognize them. It will take time, though and also we have a different focus now (Exchange 2007), but we are working on the new PDF Spam Agent version.