• United States



by Dave Gradijan

PDF Spammers Get Creative, Says Vendor

Aug 07, 20072 mins
Build AutomationCSO and CISO

PDF spammers have started varying attachments to fool spam filters, security vendor MessageLabs has warned.

After appearing only a few months ago, the PDF phenomenon accounts for 20 percent of the image spam passing through the managed service provider’s network, the company said. In the last fortnight, however, new types of modified PDF spam had started appearing.

Spam filters have now adapted, turning PDFs from a document and attachment type automatically trusted into one that is now being filtered by antispam engines, causing the spammers to send out new, altered types of PDF. Techniques include altering the rendering size of PDFs, introducing pixel changes to make PDF blocking using signatures impossible, and adding random text within PDFs.

PDFs are also turning up with security features such as encryption turned on, another feature that makes it hard to scan within a document to single out spam from genuine PDFs. The overall aim is to generate so many unique PDFs that antispam engines would be overwhelmed.

“This is almost certainly being automated by bots,” said Mark Sunner of MessageLabs. “It will eventually be used in conjunction with social engineering techniques,” he added, referring to targeted PDF attacks where real people are sent documents from known contacts.

According to Sunner, the advantage of a managed service company such as MessageLabs is the ability to detect rogue PDFs by analyzing information such as IP source. A corporate gateway would not be able to do this because only the ISP itself would be able to see this information with any degree of reliability. “Where the PDF is coming from can also indicate a problem,” he said.

In recent times, third-party systems for verifying the senders and contents of PDF documents have started to appear, including one from Geotrust that takes advantage of Adobe’s Livecycle Document Security server.

— John E. Dunn,