Pegasus Mail & Mercury

I've seen a little of this.  It seems to be the next thing.

 

Beginning to take image spam’s place is PDF spam, where the spammer sends an e-mail message with a PDF attached — which most spam filters can’t read — that attempts to convince the recipient to purchase stocks.

http://www.macworld.com/news/2007/07/12/pdfspam/index.php?

 

Mike:

I've seen a little of this. It seems to be the next thing.

 

Beginning to take image spam’s place is PDF spam, where the spammer sends an e-mail message with a PDF attached — which most spam filters can’t read — that attempts to convince the recipient to purchase stocks.

http://www.macworld.com/news/2007/07/12/pdfspam/index.php?

 

 

I've been receiving these for quite some time and they are all caught via SpamHalter and/or POPFileD.   Here's the headers for one of these messages that have a blank body and PDF attachment. If your spam software is not catching these you might want to change.  This particular on was received via MercuryD.

Received: from spooler by novelltstephenson.com (Mercury/32 v4.51); 11 Jul 2007 20:47:21 -0700
X-Envelope-To: 2-stephens@mail4.bayarea.net
X-SPAMWALL: Passed through antiSPAM test by SpamHalter 4.3.0 on novelltstephenson.com (251)
X-SPAMWALL: probability - 100.0%
X-SPAMWALL: SPAM detected!
X-CLAMWALL: Passed through antiviral test by ClamWall 1.1.0 on novelltstephenson.com (122)
Return-Path: <nacor@freenet.com>
Delivered-To: 2-stephens@mail4.bayarea.net
Received: (qmail 16646 invoked by uid 110); 11 Jul 2007 20:46:58 -0700
Delivered-To: 131-stephens.mail4.bayarea.net@shell4.bayarea.net
Received: (qmail 16643 invoked from network); 11 Jul 2007 20:46:58 -0700
Received: from exprod6mx167.postini.com (HELO psmtp.com) (64.18.1.244) by
 shell4.bayarea.net with SMTP; 11 Jul 2007 20:46:58 -0700
Received: from source ([209.128.100.203]) (using TLSv1) by
 exprod6mx167.postini.com ([64.18.5.10]) with SMTP;
 Wed, 11 Jul 2007 22:46:58 CDT
Received: from 71-215-180-115.eugn.qwest.net (71-215-180-115.eugn.qwest.net
 [71.215.180.115]) by mx2.bayarea.net (8.13.1/8.13.1) with SMTP id
 l6C3kt83004715 for <stephens@bayarea.net>; Wed, 11 Jul 2007 20:46:56 -0700
Received: from [226.215.32.70] (helo=xquc) by 71-215-180-115.eugn.qwest.net
 with smtp (Exim 4.66 (FreeBSD)) id 1I9TeH-0005a4-OK;
 Wed, 11 Jul 2007 20:47:25 -0700
Message-ID: <4695A42D.3070804@freenet.com>
Date: Wed, 11 Jul 2007 20:46:53 -0700
From: "Vasquez R. Jo" <nacor@freenet.com>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: stephens@bayarea.net
Subject: Re: article.pdf
Content-Type: multipart/mixed;
 boundary="------------050005010102010203030007"
X-pstn-levels:     (S:87.23997/99.90000 R:95.9108 P:95.9108 M:97.0282
 C:98.6951 )
X-PMFLAGS: 570966016 0 65537 YRANO1EN.CNM                   

--------------050005010102010203030007
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



--------------050005010102010203030007
Content-Type: application/pdf; name="article.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="article.pdf"

 

 

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

Unfortunately I've seen these as well.  Add the following to your Spambust.dat file:

 
if Subject contains "*.pdf" weight 50 

 

This will cause email with the following type of subject to be moved automatically to your spam directory.

Subject:    Re: post_818221518288.pdf 

 

From what I've seen, all there is in the email is the pdf attachment.  If you are reading this and are not aware of the security issues with PDF files, I've included a link to an Adobe security alert. Although the alert appears to be aimed at a "cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat", which appears to be a web browser issue, I would wonder if this is not an attempt to cause someone to load a malicious file on an unprotected system.  If you receive an unexpected PDF from an unknown address, I think your best course of action these days is to delete the email

http://www.adobe.com/support/security/bulletins/apsb07-01.html

 

For what its worth ......

I agree - I've seen a number of these that are not stock pump-and-dump spams but are clearly designed with something more invasive in mind. I now won't open any PDF I receive by mail at all, even if it appears to be from a legitimate address.

They're quite insidious and very nasty. The sad thing is that they'll probably have a significant impact on the usefulness of PDF as a distribution format.

Cheers!

-- David --

David Harris:

They're quite insidious and very nasty. The sad thing is that they'll probably have a significant impact on the usefulness of PDF as a distribution format.

Unfortunately spamming is profitable and the spammers will impact more than just pdf files over time. It seems that we are always closing the stable door, to late. We are always playing catchup and always will.

If more ISP would block port 25 traffic not going to their own SMTP servers, the spam would dwindle. Telus in Canada has done that and there is very little spam that comes from dsl customers.  Telus only allows unhindered port 25 traffic from dsl customers that have a fixed IP (business dsl). If ICANN would require this with the threat of loosing your IP address space, then spam would peter out to a large extent. Any open relays or spam spewers can then be easily blocked either locally or with a blackhole list.  Just dreaming.

 

I have just started using a filter in Mailwasher (which I use to get rid of my spam) which seems to do the job:

[enabled],"PDF Spam","PDF Spam",16711680,AND,Delete,Body,containsRE,"filename="".*""",Body,contains,"Content-Type: application/pdf;",Body,contains,"Content-Disposition: inline;",Body,contains,"Content-Transfer-Encoding: base64",EntireHeader,contains,"User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)"

This came from one of the chaps on the Mailwasher forums. It seems to get all the PDF spams, though puzzled to see that they all seem to be sent by people using Thunderbird. Maybe that is the spammer's new secret weapon... Not sure if it could easily be adapted for PM's filters.

Since I started using it though, most of myspams seems to be ZIP attachments and not PDF, maybe the problem has gone away...

Dave