PDF Email Spam on the rise
I have been getting lots of emails lately that have most of the time no text whatsoever but a pdf attachment with titles such as report.pdf, article.pdf or bill.pdf. Those are real pdf files and if you open them you see that they contain - you guessed it already did not you - spam.
To be more precise than that: they contain spam about shares and claim that if you buy them you will receive highest returns. The pdf contains between three and four pages normally and only the first page is about the subject that they want you to react on.
The other pages contain random sentences put together to irritate anti-spam software and tools, and make the pdf look like a new message all the time and not the same. If we put all of this together we see a new type of spam that consists of the following:
- Emails with pdf attachments.
- Random senders.
- Several names for the pdf files.
- Sometimes with body.
- Sometimes with subject.
- The pdf has several pages.
- Only the first page is relevant to the spammer and contains stock information.
- The other pages consist of random sentences to avoid spam filters.
Here is a little trick on how to make Thunderbird's spam filter recognize the pdf spam and move it right into a special folder:
Method 1:
If you analyze the header of the pdf spam emails you see that most use the User-Agent Thunderbird 1.5.0.12. We will now create a new message filter to move pdf files directly into a newly created folder if the User-Agent is Thunderbird 1.5.0.12.
- Click on Tools > Message Filters.
- Select a mail account from the list and click on New.
- Name the Filter accordingly, something like PDF Spam will do.
- Check Match all of the following
- Choose Customize from the first pulldown menu
- Add "User-Agent"
- leave "contains" in the second field
- write "Thunderbird 1.5.0.12" in the last field (without the "")
- Click on the + icon
- Choose Body from the pulldown menu
- "contains" stays where it is
- write ".pdf" in the last field
- go to Perform these actions
- Select "Move Message to" and choose a folder from the second pulldown menu. You could create a new folder named Spam for instance in Thunderbird.
This message will move all messages that have the User-Agent Thunderbird 1.5.0.12 and a pdf attachment to a folder named spam.
This method is working fine at the moment but will stop working as soon as the spammer is changing the User-Agent of his client.
Method 2:
The following method is also using message filters but works without adding the User-Agent variable which makes it a more general method to fight pdf spam.
- Click on Tools > Message Filters.
- Select a mail account from the list and click on New.
- Name the Filter accordingly, something like PDF Spam 2 will do.
- Check Match all of the following
- Select "From"
- Select "Isn't in my address book"
- Select "Personal address book"
- Click on the + icon
- Choose Body from the pulldown menu
- "contains" stays where it is
- write ".pdf" in the last field
- Select to move the message again to a newly created folder in Thunderbird.
Wow, you have just narrowed it down to a block of 33.5 million addresses :P
more on PDF offending spam emails traced to 210.233.109.31 et.al
is
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 210.0.0.0 – 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1996-07-01
Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
I hope this helps your search
I noticed that the spammer is using
(no subject) in the subject field or references to
invoice, trading, portfolio and in the full header
( @uyvt ) which is a derivative of PDS file format used for binary images block this in your spam filter these cretans are jamming up my filter on a daily basis
The larger anti spam software package already effectively filter out PDF spam, also depending on their false positives recognition capability.
Here’s an interesting article about PDF spam. It’s a vendor white paper but informative nonetheless.
http://www.gfi.com/whitepapers/pdf-and-image-spam.pdf