PDF Spam 2.0

The second wave of the PDF spam phenomenon is here and it quickly rendered the PDF Spam Agent practically useless, due to its design that focused on the first outbreak only. In the past two weeks, we received many PDF spam reports (thank you!) and analyzed more than 100 of these by hand.

Unlike the first wave, the second one utilizes various software and technology for generating the PDF payload. It appears that spammer groups are experimenting with a number of tools, often the same stock pump spam was generated with 2 or 3 different software, from text2pdf to OpenOffice. Based on the email properties, I broke the samples into 11 groups that show distinguishing properties. The good news is that these properties are also different from that of legitimate PDFs, so technically we can adjust the engine to recognize them. It will take time, though and also we have a different focus now (Exchange 2007), but we are working on the new PDF Spam Agent version.

7 thoughts on “PDF Spam 2.0

  1. Chris Lehr

    Really looking forward to another version – several clients complaining about it.

  2. Scooter

    Looking forward to it…

    Let me know if you need more Samples! I have Pleanty!

    Thanks guys! Keep up tht good work!

  3. Kurt (EC)

    Well, if you need samples, just let me know as well.
    And another cute thing (it started this weekend): we’re being flooded by “.zip” ones as well.

  4. Peter Post author

    Yeah, I noticed that .ZIP spam, too. Also, image spam is now arriving in GIF attachments. Then the eCard worm/spam. Most of these are pretty easy to detect in a custom External Agent, it is really just a couple of lines of code. Now we’re trying to get these new PDF spam blocked and we’ll see what we can do about the rest.

  5. Peter Post author

    BTW the funny thing about the ZIP spam is that often they’re actually RAR files. Now either WinZip opens ZIP files when they’re RAR (I don’t use WinZip) or spammers expect the casual home user to look into the binary and rename the file.

    What’s not funny is that spammers obviously found out that they can hide their message in email attachments. The format does not really matter, but if it goes on like this, we’ll have trouble catching up.

  6. Pingback: Vamsoft Insider » PDF Spam Agent 1.0 Beta R2 Update

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code