B52 Two Not Guilty
Google thinks I am Jesus

PDF Spam

The spam filtering setup on our server is pretty good - SpamAssassin with Bayesian filtering and the FuzzyOCR Plugin which I installed to deal with the rise of image-based spam last year. Still, a few email addresses that route to me are very public, and most days one or two spam messages get through the filters.

This morning I noticed a new phenomenon in my inbox. I almost moved it across into my “missed spam” folder without giving it a second thought (we train our filters with missed spam to improve the Bayesian analysis), but something caught my eye:

PDF Spam

“That’s odd,” I thought, so I opened the pdf. (Note, in general unless you know what you’re doing, it’s a really bad idea to open attachments if you don’t know the sender or weren’t expecting something from them - it could be a virus.)

PDF Spam

That’s right, it’s spam, in a pdf file. While spamassassin does a great job of analysing text, and even images using FuzzyOCR, no analysis is done of pdf attachments, so this one slipped through the net. (I’ve had seven copies of this so far today.)

What next? Well, if this type of spam continues (and there’s no reason to think it won’t) I expect we’ll see a pdf scanning plugin for SpamAssassin before too long. After that gains traction the spammers will undoubtedly adapt again with some new trick to avoid the filters. Rinse, and repeat.

The arms race continues…

PDF Spam was posted 1 year, 1 month ago on Wednesday, June 20th, 2007 at 15:30 and is filed under technology. You can follow any responses to this entry through the RSS 2.0 feed. You can use this short link to email this post to someone else. You can leave a response, or trackback from your own site.

4 Responses to “PDF Spam”

  1. Gravatar Image
    1
    Steve Basford
    June 26th, 2007 at 15:20

    download the scam.ndb.gz and phish.ndb.gz files from
    Http://sanesecurity.com/clamav and it will now catch the pdf stock spams

  2. Gravatar Image
    2
    Alton Yu
    June 28th, 2007 at 01:36

    II really hope you’re right.

  3. Gravatar Image
    3
    Ben Duncan
    July 23rd, 2007 at 10:00

    Checkout a module I wrote called “PDFassassin” which is a plugin for SpamAssassin.

    This can scan emails for PDF attachments, uses the pdftotext utility to extract the text for Spam messages, and also extracts images and uses OCR to pin-point Spam messages embedded in pictures.

    This plugin can really help prevent the wave of PDF spam messages from hitting your mbox

    Details at:

    http://blog.atmail.com/?p=61

  4. Gravatar Image
    4
    Securityphreak
    August 1st, 2007 at 09:23

    Looks like the bigger anti spam vendors are up to scratch too: PDF spam – a step ahead of image spam

Leave a Response



XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Search carroll.org.uk

  • Meta

  • Old Browser

    It seems you are using an old web browser (e.g. Internet Explorer 5 or below). This is a security risk to you, since Microsoft no longer releases updates for old versions of Internet Explorer. Also, note that this site is designed to modern internet standards, and the layout may appear strange or plain in older browsers. All the content is still accessible to you, but I strongly recommend you upgrade to a modern, safe, standards-complient browser, such as Firefox. For more information on getting the best experience surfing the web, see browsehappy.com.