Security Information Vulnerability Research Security Blog

PDF spam

June 27th, 2007 by , Filed under: Commentary, Spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me :P

Share
  • P. D. Eff

    I was Googling to see if anyone had investigated the “complaint.pdf” spam, and found this entry. Although the only payload I got in mine was the same old stock pumping stuff, It worries me a bit from a malware perspective, because Acrobat does support JavaScript. I’m on my Mac right now, and see PDFs in Preview, but I have no idea if it will run scripts or not. Suddenly I feel very uninformed…

  • http://www.edenaudio.com Bjorgen T. Eatinger

    I truly wish the penalty for spamming was death by public execution…slowly.

  • Dan

    I googled to see if there was any info on the .pdf spam I started getting lately and found this page.

    I was concerned that there might be some sort of exploit inside them and so I haven’t opened any of them. Personally I prefer this type of spam because nobody I know ever sends me .pdf files and on the slim chance they did I’d recognise their name/email as the sender. I can just happily delete them all and not worry about it!

  • Max Breaux

    Yep! have had several show up in my inbox. Sender is unknown to me, the size is between 12k – 16k, no alert on virus scan. I just report it as spam.
    “a malware or a exploit that uses PDF as its carrying bag” – I can agree that this is a valid concern. If someone discovers a pdf exploit unknown at this time, it could be an issue.
    Interesting psych/social change-up. Users are aware of .exe dangers, but, “it’s just a .pdf”
    Just another day in the trenches

  • Larry

    I have benn getting ~10/day. It seemed to coinside with my acrobat upgrade to version 8.

    Why anyone would think that someone would buy a stock based on spam is beyond me.

    I also fear softening. That is a process where terrorist test the environment before launching an attack. I am waiting for a super-cyber attack, possibly to co-inside with a physical attack from the middle east.

  • Ezra

    I’ve gotten these at least once a day now… I wonder what they are really for? For me, the suspicious PDF files keep me from opening them, I mark them as spam, and Thunderbird gets rid of them for me. It’s probably just a way to get around spam filters.

    “I also fear softening. That is a process where terrorist test the environment before launching an attack. I am waiting for a super-cyber attack, possibly to co-inside with a physical attack from the middle east.”

    You’re kidding right? Right?

  • Steve

    Larry, I agree with you – there’s definitely something sinister going on in the Middle East right now, and the influx of spam just may be another ‘softening’ attempt.

  • Patrick

    Larry,

    You should be working for the Bush administration. They’re soft on terror. They need soft-headed thinking like yours.

  • bleacher

    I agree with Patrick, are there people that actually believe all that “Ooh terrorists from the Middle East” that the Bush administration pumps out? Amazing

    I can see them now, writing malicious codes into PDF files to take down the western world! Laughable! lol

    You’ve probably just watched Die Hard 4.0 (I haven’t thankfully)

  • Larrybud

    Yeah, those terrorists are just all made up! I also read we didn’t land on the moon!

  • mike

    Patrick and bleacher, do you remember 9-11?, The unprovoked attack by middle easterners. The same ones who were and are at war for us for a couple of decades now.

  • dubie

    You mean the ones that we armed and trained a couple of decades ago?

  • Crumblemix

    Lol at mike. 9/11 guys were almost all Saudis, don’t see anyone at war with them. Probably ‘cos a) they have loads of oil and b) they spend heaps of their oil revenues on military supplies from…. Gotta say the PDFs are annoying even though I never open them. Would be nice if they didn’t turn up at all.

  • Yahkin

    Once again you are all nuts. All this focus on the middle east and the moon landing, and you don’t realize that our biggest threat comes from Australia! Every day they infiltrate further into our lives, puttting up those sinister Outback Steak Houses. I’m just glad the government stepped in and took down their leader Steve Irwin.

  • Eric

    Some of you guys are getting only one PDF spam per day?

    Today alone I have received 35, all of them with my username followed by _(number) where the number is a 4 digit number.

    Luckily my spam filter catches them all. However, it’s a pain in the rear when my iPhone downloads them. UGH

    I agree with a previous poster about the penalty for spamming being execution. At the very least it should be a very lengthy prison sentence with distribution of fines to those affected. The US Government really needs to crack down on these guys more than it’s currently doing. I’ve seen a few arrests here and there, but widespread arrests would make spam decrease to a halt — at least US-based spam.

  • IT Guy

    Steve, what spam filter are you using?

  • Markus

    Spammers are a bigger thread to our economy than terrorism!

    Spam costs each of us several minutes a day or hours a month! Even if we don’t live in the US. Spam costs “every” business worldwide a lot of time and resources.

  • AJ

    I’ve also been seeing lots of spams in pdf format lately. Thunderbird blocks them (because it learned that short emails with a single pdf from an unknown sender is probably spam), so that is good, but it is annoying.

    I’ve seen spammers go public on news sessions about spam, and they aren’t arrested! Surely, the govt can track them all down and arrest them for being a public annoyance, but arrests are rare.

  • Mike

    I think this attack is ME related. It seems to be getting more volume as of 7/20.

  • Erick

    I just found out about these new ways of spammers because I was going through my spam box and saw a few emails with pdfs. I actually get many pdfs by email so i thought they were good email that had been marked as spam. However without opening the pdf i quickly realized it was spam. I googled it and figured out its just the new way spammers are trying to get through mail filters.
    I had recently implemented a new mail server that features a somewhat new technology that is great for blocking spam. I decreased 99% of spam, but I am a system administrator and need to stay informed as far as the spam news… So I kind of feel like I want spam again..
    Oh and I agree with whoever said the penalty for spam should be public execution!

  • NA

    ARE YOU ALL KIDDING? SPAMMERS ARE IN IT FOR THE MONEY FOR THEMSELVES, NOT TERRORISTS, THESE ARE PENNY STOCK SPAM SO THAT YOU WILL BUY STOCK FROM WHATEVER COMPANY THEY SAY THEY HAVE AN INSIDER TIP FROM – ONLY TO SELL OFF AND BUY BACK THE STOCK TO MAKE A PROFIT. THE SEC – SECURITIES AND EXCHANGE COMMISSION JUST SUSPENDED STOCK TRADE ON 30 SOME COMPANIES THAT HAVE MADE TRADES BASED FROM THIS SPAM…

    GET A GRIP PEOPLE, TOO MANY PARANOID AMERICANS IN THIS COUNTRY!!!

  • http://www.BeyondSecurity.com Lev

    Guys … err ? PDF Spam ?

  • bungi

    HI I have been getting more and more of this .PDF spam into my yahoo account in the last month . I set up a filter to send it in a specific folder
    ( trash folder ) end of spam
    Simple as that really as I don’t get any legitimate PDF’s sent to my yahoo mail account

    Terrorists ?? Troll more like
    or just very stupid comments

  • Mohammed Abu

    I Iraq terrorist, soften greedy US capitalist with pennystock .pdf spam. Will near make new spam attack by link to Iraq war porn site. America weaken, fall near.

    Death to America!

    All your base are belong to us!

    Allahu Akbar. All your grandchildren will pray in Moslem mosque.

  • SearchCops

    The problem I have with spam is the lack of enforcement actually being carried out. We have the tools to track these ‘felons’, however, from your ISP down to your spam filters, we simply ‘ignore’ the problem rather than attack it. While I do not believe it to be some sinister ‘preface’ attack, I do think that the money achieved from these schemes are the new face of many organized crime families of today.

  • http://www.enamelswitchplates.com Eugene H Scott

    Bungi – how did you filter out pdfs with yahoo? Only fields I see are header, To/Cc header, Subject, and body. But since the pdfs are in an attachment, none of these will work -right??

  • Blake

    Today alone I got about 150 of these PDF spams! I hope gmail gets on the ball…. a message with no text and a pdf attachment is suspicious and should be flagged IMHO

  • Chris

    Dang, and I said we should outlaw PDF long before 9/11 happened!

    Seriously, if there was an exploit in PDF then we’d see plenty of mal-crafted PDFs on the web. All softening aside, this just seems like a way to deliver non-filtered image spam.

  • paul

    I get these emails at least 20 times a day, yesterday I received over 40. Outlook usually filters spam very nicely, but lets through every single one of these. I never opened one of the PDFs fearing an exploit.

  • MX

    Spammers are the lowest life forms on earth and we should rid this planet of their annoying existence.
    I agree, they should get the death penalty for wasting enough of everybody’s time to amount to several lifetimes when billions of emails are sent each day by their automated systems.
    Execute a few of the major spammers and watch how fast spam decreases.

  • http://96trees.com Fred

    Yea this is just the normal spam we all hate, but I’m on dialup and hate waiting for my email to arrive only to find this krap. I use Postini and they seem to be struggling a bit to get it blocked.

  • DJ

    Fred, good luck on Postini blocking ,pdf spam. Google tendered an offer for Postini near the beginning of July. A couple of weeks ago the Federal Trade Commission gave it seal of approval.

    I have noticed that a high percentage of the pdf spam that I get has been coming from former Eastern block countries and Nigeria.

  • Share







  • Categories


Security RSS Subscribe