A large “pump-and-dump” stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past.
The current spam contains one or more .PDF files, has a randomly generated subject line and sender name, and a blank message body. The .PDF files contain images which look very similar to previous image based stock spam.
The appearance of PDF-based spam was predicted by AVERT in the article “Email Spam Plague Persists” in the latest SAGE report, as .PDF files can be more easily automated than other document formats. This prediction appears to be holding true, and as .GIF based image spam continues to decline we expect spammers will continue to try similar methods of sending image based spam.
June 28th, 2007 at 11:46
I’ve seen 6 of these since Tuesday (06/26). My spam filter has been detecting and deleting all of them.
June 30th, 2007 at 03:11
Been seeing them getting past spam filters too. Most are caught , but like 1 out of 10 gets through.
July 3rd, 2007 at 11:32
We are seeing them too, and they are getting past our MailScanner/Sendmail open source solution.
July 3rd, 2007 at 16:30
Modern macs display these PDFs inline. Therefore, these messages appear exactly the same as the previous image spam.
Luckily, the pattern seems to be to put the name of the PDF into the subject line, so it can be filtered out by looking for “.pdf” in the subject. Let’s hope they don’t get any smarter.
July 5th, 2007 at 06:17
Zip – Yep, that’s about what I’m seeing. About one in ten makes it through. Otherwise spam filter is catching them.
July 6th, 2007 at 05:35
Our spam filter seems to be catching about 10% of these over the last 1 1/2 weeks or so when the blast really seemed to be hitting us.
Our spam filter seems to be doing an OK job at blocking but not sure. I am not sure (actually I was wondering) if the spam filter cannot/does not scan PDF files or is it because it is an image inside the PDF and it would need to do an optical recognition (which of course it does not do), but the wavy, discoloration of the text would make that increasingly difficult if it could anyway.
July 15th, 2007 at 05:47
Our spam filters are managing well, deleting probably about 80 per cent of the actual emails. The problem is that the PDF remains in the attachments’ folder on our server and still has to be removed manually.
July 20th, 2007 at 07:37
I’ve been seeing quite an uptick in these over the past week. Spam filter is still catching about 90%, but the volume seems to have (at least) doubled.
July 20th, 2007 at 16:18
Help I’m drowning in these dam things now. The volume is like X5.
July 20th, 2007 at 23:42
Anyone have any observations to share for Yahoo Webmail’s spam filter’s effectiveness in catching these spams? I have been geting increasing number of these spams in my inbox lately.
July 21st, 2007 at 00:16
Update on my earlier post regarding I wanting to know effectiveness of Yahoo Webmail to catch this spam. I am happy to report that they are doing fairly good job. Today I had 5 of these spams in my inbox, however 43 of these spams were caught and stashed in the spam folder.
July 23rd, 2007 at 10:52
Are we allowed to mention non-McAfee products here? I use McAfee for most things, but use another maker’s anti-spamware. It’s catching 90%+ of these. If we are, I’ll be happy to share the info for those with underperforming filters.
July 23rd, 2007 at 16:40
About two weeks ago I was getting pdf’s at the rate of 85% of my e-mail. So I made a few adjustments with Outlook that I think would be helpful for a good percentage of readers.
Have them go to my site at:
http://timtracy.net/blog/2007/07/06/step-by-step-instructions-to-block-the-pdfs/
This should cut about 65% to 70% of the pdf’s from their Inbox, and directly to their Delete Items box.
July 23rd, 2007 at 17:28
Is this a reason to update to Adobe Reader 8.0.1?
July 23rd, 2007 at 18:11
I am using outlook 2007 with all updated spam filter from Microsoft as well as windows onecare and I am getting absolutely bombed with these damn PDF spams. Where is Microsoft on this anyway?? I see 20 to 30 a day. Can anyone recommend a REAL filter??
Thanks!
July 24th, 2007 at 05:25
I make it a habit not to open .zip files or .PDF filles I get in e-mail. Lord knows what is in them until you open them and if you do open them,the surprise might not be pleasant.
July 24th, 2007 at 05:57
I’m a tech who services several small businesses. I can honestly say I’ve seen this and other .pdf spam at least 200 times in the last two weeks. Most of it doesn’t claim to have any connection to McAfee.
July 24th, 2007 at 08:55
I use MailWasher Pro which has been catching 99.5%. This morning 224 spams, 14 with PDF’s. Only 2 spams, and wihtout attachments, were not listed as spam but were questioned, and I simply checked the “enemy” box.
It takes a couple of weeks to put this program through it’s learning curve, but after that all is fine. Just don’t add them to the blacklist, else opening the program will be very slow. (I simply leave it open all day in the background) Incidentally I also use Thunderbird and it is catching about the same number. As opposed to Att/yahoo on line, of which 8 this morning were in the inbox to be moved to the spam folder.
July 24th, 2007 at 10:34
Ted Wood, unfortunately they did get smarter
and there are several variants of this type of spam now.
Randy W, spam filters work in different ways and some do/did attempt to do OCR on the image spam. As you mention the spammers then added wavy/discoloured text to attempt to break the character recognition. I’m not sure if any anti-spam filters attempt OCR on the PDF files, I would assume not. Image based character recognition is extremely slow compared to other methods of detection and there are other signatures in the image/PDF file and the email that can be used to detect this type of spam more efficiently.
Mike/ Rick, our current stats for this type of spam match yours, the volume has increased by about 6x since the first campaigns of this type of spam.
July 24th, 2007 at 12:14
I Hate Spam 4 has been doing a great job for me. Totally happy with the performance (even on these .pdfs it’s 90%+ effective).
July 24th, 2007 at 12:31
Yeah, my Outlook 2003 takes care of them all too
But they are sooo annoying.
July 28th, 2007 at 08:06
The pdf emails seem to be subsiding a little bit. I’ve some success with spambully and spambayes, but a few of these are still going to slip through the cracks.
October 2nd, 2007 at 00:02
Emails are on of the most popular method in terms of spamming. Although it is easy to delete the Spam Emails after they are being received yet it is very difficult to filter such emails. Especially if they contain PDF Spams. Spam Filtering may reduce the number of spams for a short while but you cant say that it is an ultimate solution to Spamming. The reason is that the Spammers are aware of these filtering techniques whether it is Filtering with BogoFire, Spamassasin or some other. There are many websites available that are providing the information on Email-Spamming Solutions but most of this information is either irrelevant or not useful. I have recently visited a website that is
Anti-Spamming Info Website
It contains useful information regarding Spams, Email-Spam, Spam Filtering as well as different kind of Spams that are used.
July 27th, 2009 at 23:36
[...] evolution from those image spams of yesterday (I’m sure you got some of those). From the McAfee Avert Labs Blog: A large “pump-and-dump” stock spam campaign is underway, but rather than including the [...]