PDF Email Spam on the rise

Martin Brinkmann
Jul 24, 2007
Updated • Mar 16, 2014

I have been getting lots of emails lately that have most of the time no text whatsoever but a pdf attachment with titles such as report.pdf, article.pdf or bill.pdf. Those are real pdf files and if you open them you see that they contain - you guessed it already did not you - spam.

To be more precise than that: they contain spam about shares and claim that if you buy them you will receive highest returns. The pdf contains between three and four pages normally and only the first page is about the subject that they want you to react on.

The other pages contain random sentences put together to irritate anti-spam software and tools, and make the pdf look like a new message all the time and not the same. If we put all of this together we see a new type of spam that consists of the following:

  1. Emails with pdf attachments.
  2. Random senders.
  3. Several names for the pdf files.
  4. Sometimes with body.
  5. Sometimes with subject.
  6. The pdf has several pages.
  7. Only the first page is relevant to the spammer and contains stock information.
  8. The other pages consist of random sentences to avoid spam filters.

Here is a little trick on how to make Thunderbird's spam filter recognize the pdf spam and move it right into a special folder:

Method 1:

If you analyze the header of the pdf spam emails you see that most use the User-Agent Thunderbird We will now create a new message filter to move pdf files directly into a newly created folder if the User-Agent is Thunderbird

  • Click on Tools > Message Filters.
  • Select a mail account from the list and click on New.
  • Name the Filter accordingly, something like PDF Spam will do.
  • Check Match all of the following
  • Choose Customize from the first pulldown menu
  • Add "User-Agent"
  • leave "contains" in the second field
  • write "Thunderbird" in the last field (without the "")
  • Click on the + icon
  • Choose Body from the pulldown menu
  • "contains" stays where it is
  • write ".pdf" in the last field
  • go to Perform these actions
  • Select "Move Message to" and choose a folder from the second pulldown menu. You could create a new folder named Spam for instance in Thunderbird.

This message will move all messages that have the User-Agent Thunderbird and a pdf attachment to a folder named spam.

This method is working fine at the moment but will stop working as soon as the spammer is changing the User-Agent of his client.

Method 2:

The following method is also using message filters but works without adding the User-Agent variable which makes it a more general method to fight pdf spam.

  • Click on Tools > Message Filters.
  • Select a mail account from the list and click on New.
  • Name the Filter accordingly, something like PDF Spam 2 will do.
  • Check Match all of the following
  • Select "From"
  • Select "Isn't in my address book"
  • Select "Personal address book"
  • Click on the + icon
  • Choose Body from the pulldown menu
  • "contains" stays where it is
  • write ".pdf" in the last field
  • Select to move the message again to a newly created folder in Thunderbird.
Article Name
PDF Email Spam on the rise
Describes a new form of PDF email spam, and how to configure the email client to move it out of the way automatically.

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Stefan said on August 17, 2007 at 5:15 pm

    Wow, you have just narrowed it down to a block of 33.5 million addresses :P

  2. Julie said on August 8, 2007 at 2:01 pm

    more on PDF offending spam emails traced to et.al


    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: –
    NetName: APNIC-CIDR-BLK2
    NetHandle: NET-210-0-0-0-1
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: NS-SEC.RIPE.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: DNS1.TELSTRA.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    RegDate: 1996-07-01
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100

    I hope this helps your search

  3. Julie said on August 8, 2007 at 1:52 pm

    I noticed that the spammer is using
    (no subject) in the subject field or references to
    invoice, trading, portfolio and in the full header
    ( @uyvt ) which is a derivative of PDS file format used for binary images block this in your spam filter these cretans are jamming up my filter on a daily basis

  4. Securityphreak said on August 3, 2007 at 8:13 am

    The larger anti spam software package already effectively filter out PDF spam, also depending on their false positives recognition capability.

    Here’s an interesting article about PDF spam. It’s a vendor white paper but informative nonetheless.


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.