Now PDF Is The Format For Spam Delivery

The never-ending game of whack-a-spammer-mole continues, with spammers now adopting PDF files as the new mechanism for delivering their junk mail.

It seems like only yesterday we were talking about image-based spam, where the junk mail message was written in a GIF or JPEG file embedded in the letter. Now the junk mailers have been forced to change because spam blockers and detection mechanisms had gotten quite good at detecting image-based spam.

As spam filters have improved, image-based spam has taken a hit. Secure Computing notes that image-based spam has dropped from the 30 percent range to just 10 percent of total e-mail volume in recent months.

What’s taking its place is a bigger nuisance. Spam in the form of attached PDF files has grown from just one percent in June to five or six percent of e-mail volume in just a month.

So it would seem PDF has replaced the GIF, according to Dmitri Alperovitch, principal research scientist at Secure Computing’s TrustedSource Labs. “The makers of e-mail filters have figured out how to recognize image-based spam and have updated their products to stop it. So now [spammers] wrap it up in the PDF,” he told

For the spammers, it’s very easy to generate PDFs since there are many freeware PDF distillers on the market. For anti-spam vendors, it’s a much bigger headache. Traditionally, PDF files have not been associated with spam and malware, so very few have been examining PDF files as they pass through the gateway.

The good news, according to Alperovitch, is that the PDF files aren’t being used to deliver malicious payloads. So far, it’s just the usual pump and dump garbage for worthless stocks.

But it is a headache for effective filtering, because scanning a PDF file will be much more time consuming than filtering a JPG file. “It’s an extra layer to scan and also an extra performance drop at the filtering system because it is very performance prohibitive to parse a PDF file, especially since PDF files can be very large in size,” he said.

And there is nothing to stop malicious payloads from being delivered, since Acrobat has had vulnerabilities in the past. “Right now they are just sending spam. Of course, Adobe Acrobat has had some serious vulnerabilities and we may as well see in the near future malware  writers figuring out this is another way to deliver a virus to your desktop. But so far it has been spammers,” said Alperovitch.

News Around the Web