New mutation of PDF spam
Last Updated: 2007-07-03 21:04:05 UTC
by Maarten Van Horenbeeck (Version: 2)
A few weeks ago we reported on new spam using PDF attachments. These were professionally designed and contained graphs and detailed information on the stock in question. In general, they covered one stock on the Frankfurt stock exchange each.
During the last two days, we've received continuous reports of new PDF spam. This time the pages attached are generally of different size each time (no longer A4, but 4x3 inch or 6x1 inch). The text also has been obfuscated which makes it much less readable, but also more difficult for spam filters to assess through OCR. Stocks mentioned are now listed on NASDAQ instead of the European exchanges.
UPDATE: Two readers sent in some interesting observations, which appear to match most samples we currently have available. Nathan discovered most PDF stock spam has a corrupted XREF table. He runs incoming PDF files through Ghostscript and searches for error messages to classify them as potential spam. He does note that some PDF creators are not fully compliant with the Adobe standard and seem to cause false positives. WillC reported that each of the PDF scam messages he received had an identical user agent of "Thunderbird 184.108.40.206 (Windows/20070509)".