PDF Spam Glam Slam

I was actually hoping to get this out a little bit sooner, but things have been so hectic around here as we work out algorithms and fingerprints to stop what started to be a huge flood of PDF spam on Wednesday that I haven't had much time to sit down and collect my thoughts. I really do appreciate Martin Hack from the Hack Report and Cameron Sturdevant from eWeek for taking time out of their schedules to speak with me and write up some of our conversations in their blogs.

We originally started talking about PDF Based Image Spam back on July 2nd and its prevalence since then has greatly increased.

On Wednesday (July 18th) we saw spam traffic numbers increase by about 25% as we saw a flood of new PDF spam hitting our system. This was different than the PDF spam that we had been seeing to date which was usually contained an image. This new variant was essentially a text based spam message pasted into the body of a PDF.

The first page of the PDF was generally some kind of stock pump and dump scam. Subsequent pages (ranging from 3-10 additional pages) were your typical "word salad" that we see at the bottom of many spam messages that attempt to throw off spam filters still using naive Bayes filtering.

This is not likely to be a tactic that sticks around because there are already many tools that exist that will convert PDF files to text to allow other anti-spam engines to execute against these messages much more easily. The proof of concept here was that many filters have not yet deployed this type of functionality, and as such the messages were getting delivered to the inbox.

Even over the past couple of weeks since we started talking about PDF based spam (which actually originally started back in 2004, but never really caught on) we have already seen the technique start to evolve and traffic volumes dramatically increase. The message is clear though that PDF spam is here to stay!