Spam filter reports from a couple of months ago suggested the usual barrage of image spam had eased up, but the reality is those images had merely assumed a new identity: Portable Document Format (PDF).
Most vendors of messaging security systems have incorporated some sort of defense against image spam, which has only led spam creators to find novel modes of entry, specifically through what has become the “de facto standard” for sending documents between organizations, said Andrew Graydon, chief technology officer of Mississauga, Ont.-based messaging security vendor BorderWare Technologies Inc.
This latest spam tactic works because most messaging security tools detect images in the form of JPEG, JIF and PNG, for example, but not those in PDF.
“Spammers will always find the vulnerability, and push the limits to find where the majority of vendors are not solving the problem,” said Graydon. And it’s surprising, he added, how few messaging security systems scan the contents of PDF documents – making the tactic successful across 80 per cent of security solutions on the market.
Currently, he said PDF spam accounts for about 50 per cent of image spam, a marked increase from the initial three per cent when spammers were still testing the waters a couple of months ago before finally opening the floodgates.
PDF spam is just another invasion technique designed to bypass “reasonably effective” defenses against basic image spam, said Larry Karnis, president of Toronto, Ont.-based messaging security provider XPM Software Inc.
“They can put the same image in a PDF document and the PDF document wrapper allows the image to travel through the spam filter undetected,” said Karnis.
But as with all forms of malware, PDF spam – currently a simple format of identical images for content – will soon take on different appearances as it morphs to avoid detection, said Graydon. “We’re going to start seeing some of the exploits happening on the PDF where they’re going to start changing the size of the PDF, and the size of the image inside.”
But Karnis believes PDF spam will be a short-term threat because they are relatively easy for vendors to block: companies using an anti-spam tool and are under a maintenance agreement with the product vendor should see the problem going away fairly quickly.
Besides, he added, the impact thus far has been nowhere near as severe as the initial image spam attacks that hit last year. And the tactic is hardly economical from the spammer’s point of view, given PDF attachments tend to inflate message size thereby reducing the number of outgoing attacks from a botnet.
Spammers at this point are probably trying to work out the economics of PDF spam given the limited number attacks that can be launched, said Bradley Anstis, director of product management for Basingstoke, U.K.-based Marshal Ltd., a provider of e-mail and internet management solutions.
And although the campaign was initially successful, he said, messaging security vendors will bolster their defenses towards the attacks, resulting in an eventual decline in number.
Currently, Graydon said companies are employing various approaches to the PDF spam problem. Some are passively “grinning and bearing it” because the technology they have in place doesn’t solve the issue. Others are quarantining incoming PDF documents and letting users retrieve the ‘clean’ files from the quarantine.
Karnis isn’t keen on the quarantine approach as it’s indicative of an inferior anti-spam product, which really only serves as a location for e-mail that the spam filter couldn’t decide what to do with.
Others, Graydon added, are making the better decision to deploy superior messaging security systems that can scan the content of PDF documents.
Companies should evaluate the technologies they have in place, agreed Anstis – in particular recommending multi-facetted spam engines to capture multiple forms of spam attacks.
Besides that, he said, “be aware that it’s happening and let employees know. It’s always better to err on the side of caution.”