PDF Email Spam on the rise - gHacks Tech News

PDF Email Spam on the rise

I have been getting lots of emails lately that have most of the time no text whatsoever but a pdf attachment with titles such as report.pdf, article.pdf or bill.pdf. Those are real pdf files and if you open them you see that they contain - you guessed it already did not you - spam.

To be more precise than that: they contain spam about shares and claim that if you buy them you will receive highest returns. The pdf contains between three and four pages normally and only the first page is about the subject that they want you to react on.

The other pages contain random sentences put together to irritate anti-spam software and tools, and make the pdf look like a new message all the time and not the same. If we put all of this together we see a new type of spam that consists of the following:

  1. Emails with pdf attachments.
  2. Random senders.
  3. Several names for the pdf files.
  4. Sometimes with body.
  5. Sometimes with subject.
  6. The pdf has several pages.
  7. Only the first page is relevant to the spammer and contains stock information.
  8. The other pages consist of random sentences to avoid spam filters.

Here is a little trick on how to make Thunderbird's spam filter recognize the pdf spam and move it right into a special folder:

Method 1:

If you analyze the header of the pdf spam emails you see that most use the User-Agent Thunderbird 1.5.0.12. We will now create a new message filter to move pdf files directly into a newly created folder if the User-Agent is Thunderbird 1.5.0.12.

  • Click on Tools > Message Filters.
  • Select a mail account from the list and click on New.
  • Name the Filter accordingly, something like PDF Spam will do.
  • Check Match all of the following
  • Choose Customize from the first pulldown menu
  • Add "User-Agent"
  • leave "contains" in the second field
  • write "Thunderbird 1.5.0.12" in the last field (without the "")
  • Click on the + icon
  • Choose Body from the pulldown menu
  • "contains" stays where it is
  • write ".pdf" in the last field
  • go to Perform these actions
  • Select "Move Message to" and choose a folder from the second pulldown menu. You could create a new folder named Spam for instance in Thunderbird.

This message will move all messages that have the User-Agent Thunderbird 1.5.0.12 and a pdf attachment to a folder named spam.

This method is working fine at the moment but will stop working as soon as the spammer is changing the User-Agent of his client.

Method 2:

The following method is also using message filters but works without adding the User-Agent variable which makes it a more general method to fight pdf spam.

  • Click on Tools > Message Filters.
  • Select a mail account from the list and click on New.
  • Name the Filter accordingly, something like PDF Spam 2 will do.
  • Check Match all of the following
  • Select "From"
  • Select "Isn't in my address book"
  • Select "Personal address book"
  • Click on the + icon
  • Choose Body from the pulldown menu
  • "contains" stays where it is
  • write ".pdf" in the last field
  • Select to move the message again to a newly created folder in Thunderbird.
Summary
Article Name
PDF Email Spam on the rise
Description
Describes a new form of PDF email spam, and how to configure the email client to move it out of the way automatically.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Securityphreak said on August 3, 2007 at 8:13 am
      Reply

      The larger anti spam software package already effectively filter out PDF spam, also depending on their false positives recognition capability.

      Here’s an interesting article about PDF spam. It’s a vendor white paper but informative nonetheless.

      http://www.gfi.com/whitepapers/pdf-and-image-spam.pdf

    2. Julie said on August 8, 2007 at 1:52 pm
      Reply

      I noticed that the spammer is using
      (no subject) in the subject field or references to
      invoice, trading, portfolio and in the full header
      ( @uyvt ) which is a derivative of PDS file format used for binary images block this in your spam filter these cretans are jamming up my filter on a daily basis

    3. Julie said on August 8, 2007 at 2:01 pm
      Reply

      more on PDF offending spam emails traced to 210.233.109.31 et.al

      is

      OrgName: Asia Pacific Network Information Centre
      OrgID: APNIC
      Address: PO Box 2131
      City: Milton
      StateProv: QLD
      PostalCode: 4064
      Country: AU

      ReferralServer: whois://whois.apnic.net

      NetRange: 210.0.0.0 – 211.255.255.255
      CIDR: 210.0.0.0/7
      NetName: APNIC-CIDR-BLK2
      NetHandle: NET-210-0-0-0-1
      Parent:
      NetType: Allocated to APNIC
      NameServer: NS1.APNIC.NET
      NameServer: NS3.APNIC.NET
      NameServer: NS4.APNIC.NET
      NameServer: NS-SEC.RIPE.NET
      NameServer: TINNIE.ARIN.NET
      NameServer: DNS1.TELSTRA.NET
      Comment: This IP address range is not registered in the ARIN database.
      Comment: For details, refer to the APNIC Whois Database via
      Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
      Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
      Comment: for the Asia Pacific region. APNIC does not operate networks
      Comment: using this IP address range and is not able to investigate
      Comment: spam or abuse reports relating to these addresses. For more
      Comment: help, refer to http://www.apnic.net/info/faq/abuse
      Comment:
      RegDate: 1996-07-01
      Updated: 2005-05-20

      OrgTechHandle: AWC12-ARIN
      OrgTechName: APNIC Whois Contact
      OrgTechPhone: +61 7 3858 3100

      I hope this helps your search

    4. Stefan said on August 17, 2007 at 5:15 pm
      Reply

      Wow, you have just narrowed it down to a block of 33.5 million addresses :P

    Leave a Reply