Miles Associates LLC

Jim Miles – IT & IT Security Consultant – Web Sites for Growing Organizations

PDF spam on the rise…

Image spam (emails where the content is obscured by making is an image file) is on the decline; the potentially more dangerous PDF spam is getting a start. It is more dangerous because PDF files *can* spread malware (this hasn’t been seen yet, according to the article linked below).

NOTE: Barracuda Spam Firewalls are popular with my customers. I looked at their web site and this is what they have to say about image analysis for spam detection:

…”the Barracuda Spam Firewall also uses image analysis techniques which protect against new image variants. These techniques include:

  • Optical Character Recognition (OCR). Embedding text in images is a popular spamming practice to avoid text processing in anti-spam engines. OCR enables the Barracuda Spam Firewall to analyze the text rendered inside the images.
  • Image Processing. To mitigate attempts by spammers to foil optical character recognition through speckling, shading, or color manipulation, the Barracuda Spam Firewall also utilizes a number of lightweight image processing technologies to normalize the images prior to the OCR phase. More heavyweight image processing algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used by Barracuda Spam Firewalls to block messages.”

Barracuda doesn’t mention anything about dealing with attachments like PDF files on that page.

And don’t forget to check your quarantines! This law firm cranked up the rigor of their spam filter (also a Barracuda) and they missed a critical email that had a court date in it… they did not show up. Wow.
—————————————————————————————————————————

This story appeared on Network World at
http://www.networkworld.com/news/2007/071107-pdf-spam.html

As image spam declines, PDF spam ready to take its place

New spam technique attaches PDFs that filters can’t read

Security vendors and users agree that image spam is finally on the decline, but at the same time a new kind of spam is emerging that uses an attached PDF file to trick recipients into buying stock in a company.

Image spam, which has plagued antispam filters for the past year, is finally on the decline as e-mail security vendors have tweaked their products to block it, says Paul Henry, vice president of technology evangelism with Secure Computing. Image spam has long fooled filters because the message’s text is embedded in an image found in an e-mail’s body, and filters until recently couldn’t decipher images. At the beginning of July it comprised about 38 % of all spam and is now down to about half that volume, says Henry.

“Image spam does seem to be decreasing … Antispam software, RBLs [real-time black lists] and other filtering techniques have done a good job at decreasing the previous spammers’ attempts”

Beginning to take image spam’s place is PDF spam, where the spammer sends an e-mail message with a PDF attached – which most spam filters can’t read – that attempts to convince the recipient to purchase stocks.

So far, PDF spam isn’t approaching the volumes that image spam has enjoyed – Secure Computing’s Henry says in early July it accounted for about 4% of all spam sent – yet this new spam trick could prove to be significantly more malicious. Henry says proof-of-concept code exists that demonstrates security vulnerabilities in PDF files, which means PDF spam could carry malware that is secretly downloaded on the recipient’s PC. Image spam was only dangerous to those recipients who bought the stock that messages were touting and likely lost money on it.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s