Spammers use PDFs to beat filters

Spammers are increasingly adopting PDFs as a new technique in the war against spam filters.

Security researchers first spotted PDF spam at the beginning of June, and by the end of the month it was making up three to four per cent of all spam.

The levels had reached six to eight per cent by July and occasionally hit rates close to 20 per cent.

"If PDF spam evolves like image-based spam we have to prepare for the possibility that PDF spam could account for 20 per cent or more of all spam," said Ralf Iffert, a researcher at IBM's X-Force threat analysis service.

"In fact, we may see this kind of volume increase happen much faster than the two-year rise of image-based spam."

Image-based spam rose to prominence last year after filtering software became much better at recognising text spam using keyword filtering and heuristics. Image spam then moved swiftly to make up the majority of spam picked up by filters.

But most spam filters are unable to check the content of PDF documents, and the spammers are increasingly adopting the technique. As PDFs are also traditionally a business tool, many spam filters are automatically configured not to block them.

One of the first PDF-based spam campaigns involved a pump-and-dump stock scam picked up by Nick Kelly at McAfee's Avert security labs.

"We predicted the appearance of PDF-based spam because .pdf files can be more easily automated than other document formats," he said.

"As .gif-based image spam continues to decline, we expect that spammers will continue to try similar methods of sending image based spam."