Same spam, new format

We all know that the evil forces behind spam, beyond being evil, are also quite prolific. In the tit-for-tat war between junkmail senders and the anti-spam community, the junkers have come up with yet another trick – PDF spam. Some of what we are seeing is really just ‘Image spam 2.0′ because it’s just another way of sending the same old image spam. All they’ve done is take the same old randomized, blurry, penny stock touting graphic files and convert them to PDF format. Then they spam them out as attachments. This simple alteration may actually be penetrating some anti-spam solutions, since many of them wrote a series of heuristics to help them recognize image spam 1.0, by looking for embedded or attached image files. These heuristics most likely will not catch the same image, when it appears in .pdf format.

Same old image…now in .pdf

Another version of PDF spam recently detected by RPD uses more legitimate looking PDFs. The email message uses social engineering to try to lure readers into opening the attachment.

Innocent looking email message

When the curious reader opens the attachment he gets a PDF promoting some kind of bogus herbal enhacement product. The message appeared in plain searchable text, which means OCR or even simpler content filters could probaly have recognized it as spam, assuming they are able to look inside the attached document. I’d love to share the PDF content with you, it was pretty funny, but this is a family email security blog (-:

Special thanks to Menashe and the detection team for sharing these examples.