Spam with attached PDF file

evantoliopoulos · 27 Jun 2007, 12:27 PM

Has anyone else noticed an increase in spam where the email contains only a subject line and a PDF attachment - no email body text.

The PDFs have names like Magazine.pdf and Notification.pdf

I haven't - and wont - open the PDFs.

Just curious to know if it is widespread spam or coincidence.

davidbstanley · 27 Jun 2007, 04:07 PM

Yes, I had one. It was called alert.pdf. I opened it and it was one of those stock market emails. Sames as the ones that have GIF attachments.

petergh · 28 Jun 2007, 04:38 AM

Yes, I'm getting those too. Started yesterday, I think, and so far I'm only receiving them through my Hotmail POP link.

janusz · 30 Jun 2007, 01:30 AM

A follow-up: "Junk mails promoting worthless stocks are appearing with an attached PDF file"
German Stock Insider

jeff248 · 30 Jun 2007, 09:30 PM

Any thoughts??? I'm getting about 10 of these a day!!

n5bb · 2 Jul 2007, 08:32 AM

Since these are PDF attachments, I'm guessing that these are bypassing the GIF interpreter spam filter at FastMail. I'm getting a few of there also, but they are all going into my Junk Mail folder. I use address book whitelisting and custom spam filtering, and anything with a spam score over 1.0 automatically goes to Junk Mail. This works well for me.

What typical spam scores are you getting for these PDF spam messages? I think mine typically have scores of 2 to 5.

Unfortunately, there is no ability in the current normal forms-based Rules screens to add to the spam score when certain key items are found. But you could add an Advanced rule which applies a lower spam threshold to messages with PDF attachments, such as the following:

In the Options>Define Rules screen, select the File into folders tab. Add the following Mailing list/File into folders rule:
Message with Advanced
That N/A (not applicable -- ignore)
The text: allof(not header:contains["X-Spam-known-sender"]"yes", header:value"ge":comparator"i;ascii-numeric"["X-Spam-score"]["2"], header:contains "X-Attached" ".pdf"){fileinto"INBOX.Junk Mail";} if false
File into folder: (not applicable -- ignore)
Flag: (not applicable -- ignore)
Order: 0
Add, then Done at the top of the screen.

This rule will create the following Sieve script fragment (near the bottom, but before other filing rules if their Order is 1 or greater):

Code:

if allof( not header:contains["X-Spam-known-sender"]"yes",
          header:value"ge":comparator"i;ascii-numeric"["X-Spam-score"]["2"], 
          header:contains "X-Attached" ".pdf" )
   {fileinto"INBOX.Junk Mail";}
if false {fileinto "Inbox";}

This script will file the message in Junk Mail if all of these are true:

Not whitelisted (the sender is not in the online address book)
Spam score => 2 (you can change this if needed)
PDF attachment

The last "if false..." statement is an artifact of using an Advanced rule, and is always false so never executed.

Bill

elvey · 4 Jul 2007, 04:05 PM

Quote:

Originally Posted by jeff248

Any thoughts??? I'm getting about 10 of these a day!!

Me too. I'm surprised SpamAssassin 3.2 hasn't helped with this. Specifically, the Rules du Jour should be getting updated to flag the ticker symbols in the plain text part of the messages.

I need to check with J&R about how SA has been configured.

Thanks for the Sieve, Bill. I just put that into place (with modifications) for myself.

robmueller · 4 Jul 2007, 06:15 PM

It's image spam, but the image is in the PDF, there's no text component to it at all.

I've updated FuzzyOCR so it tries to look at the first page of attached PDFs, hopefully that's helping.

Rob

elvey · 6 Jul 2007, 03:30 AM

Quote:

Originally Posted by robmueller

It's image spam, but the image is in the PDF, there's no text component to it at all.

I've updated FuzzyOCR so it tries to look at the first page of attached PDFs, hopefully that's helping.

Rob

Seems to be helping - nothing since. Thanks.

janusz · 6 Jul 2007, 11:35 PM

Another challenge: fuzzy PDF menace

hadaso · 31 Jul 2007, 08:31 AM

One thing I noticed is that many of these sorts of spam I see are from dynapic IP addresses but pass greylisting. (I think the same applied to the "greeting card" spam or phishing that I have been receiving tons of lately).

Bob D · 31 Jul 2007, 11:45 PM

"Spammers dump images, switch to PDF files":
http://www.theregister.co.uk/2007/07...switch_to_pdf/

robmueller · 6 Aug 2007, 03:30 PM

Are these PDFs getting through for some people? I've just been on vacation for a week, and got back to find not one got through, but I had about 40 in my Junk Mail folder. Are these being caught for everyone, or just me?

Rob

27 Jun 2007, 12:27 PM	#1
evantoliopoulos Junior Member Join Date: Jul 2006 Location: Sydney, Australia Posts: 15	Spam with attached PDF file Has anyone else noticed an increase in spam where the email contains only a subject line and a PDF attachment - no email body text. The PDFs have names like Magazine.pdf and Notification.pdf I haven't - and wont - open the PDFs. Just curious to know if it is widespread spam or coincidence.

2 Jul 2007, 08:32 AM	#6
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	Sieve rule to file messages with PDF attachments & lower spam scores iinto Junk Mail Since these are PDF attachments, I'm guessing that these are bypassing the GIF interpreter spam filter at FastMail. I'm getting a few of there also, but they are all going into my Junk Mail folder. I use address book whitelisting and custom spam filtering, and anything with a spam score over 1.0 automatically goes to Junk Mail. This works well for me. What typical spam scores are you getting for these PDF spam messages? I think mine typically have scores of 2 to 5. Unfortunately, there is no ability in the current normal forms-based Rules screens to add to the spam score when certain key items are found. But you could add an Advanced rule which applies a lower spam threshold to messages with PDF attachments, such as the following: In the Options>Define Rules screen, select the File into folders tab. Add the following Mailing list/File into folders rule: Message with Advanced That N/A (not applicable -- ignore) The text: allof(not header:contains["X-Spam-known-sender"]"yes", header:value"ge":comparator"i;ascii-numeric"["X-Spam-score"]["2"], header:contains "X-Attached" ".pdf"){fileinto"INBOX.Junk Mail";} if false File into folder: (not applicable -- ignore) Flag: (not applicable -- ignore) Order: 0 Add, then Done at the top of the screen. This rule will create the following Sieve script fragment (near the bottom, but before other filing rules if their Order is 1 or greater): Code: if allof( not header:contains["X-Spam-known-sender"]"yes", header:value"ge":comparator"i;ascii-numeric"["X-Spam-score"]["2"], header:contains "X-Attached" ".pdf" ) {fileinto"INBOX.Junk Mail";} if false {fileinto "Inbox";} This script will file the message in Junk Mail if all of these are true: Not whitelisted (the sender is not in the online address book) Spam score => 2 (you can change this if needed) PDF attachment The last "if false..." statement is an artifact of using an Advanced rule, and is always false so never executed. Bill

27 Jun 2007, 04:07 PM	#2
davidbstanley Cornerstone of the Community Join Date: Aug 2002 Location: Kent, UK Posts: 693	Yes, I had one. It was called alert.pdf. I opened it and it was one of those stock market emails. Sames as the ones that have GIF attachments.

28 Jun 2007, 04:38 AM	#3
petergh Master of the @ Join Date: Jan 2002 Location: Denmark Posts: 1,302	Yes, I'm getting those too. Started yesterday, I think, and so far I'm only receiving them through my Hotmail POP link.

30 Jun 2007, 01:30 AM	#4
janusz The "e" in e-mail Join Date: Feb 2006 Location: EU Posts: 4,945	A follow-up: "Junk mails promoting worthless stocks are appearing with an attached PDF file" German Stock Insider

30 Jun 2007, 09:30 PM	#5
jeff248 Member Join Date: Sep 2004 Posts: 81	Any thoughts??? I'm getting about 10 of these a day!!

4 Jul 2007, 06:15 PM	#8
robmueller Intergalactic Postmaster Join Date: Oct 2001 Location: Melbourne, Australia Posts: 6,102 Representative of: Fastmail.FM	It's image spam, but the image is in the PDF, there's no text component to it at all. I've updated FuzzyOCR so it tries to look at the first page of attached PDFs, hopefully that's helping. Rob

6 Jul 2007, 11:35 PM	#10
janusz The "e" in e-mail Join Date: Feb 2006 Location: EU Posts: 4,945	Another challenge: fuzzy PDF menace

31 Jul 2007, 08:31 AM	#11
hadaso The "e" in e-mail Join Date: Oct 2002 Location: Holon, Israel. Posts: 4,857	One thing I noticed is that many of these sorts of spam I see are from dynapic IP addresses but pass greylisting. (I think the same applied to the "greeting card" spam or phishing that I have been receiving tons of lately).

31 Jul 2007, 11:45 PM	#12
Bob D Senior Member Join Date: Jul 2006 Posts: 151	"Spammers dump images, switch to PDF files": http://www.theregister.co.uk/2007/07...switch_to_pdf/

6 Aug 2007, 03:30 PM	#13
robmueller Intergalactic Postmaster Join Date: Oct 2001 Location: Melbourne, Australia Posts: 6,102 Representative of: Fastmail.FM	Are these PDFs getting through for some people? I've just been on vacation for a week, and got back to find not one got through, but I had about 40 in my Junk Mail folder. Are these being caught for everyone, or just me? Rob