I started tracking some statistics on pdf spam this weekend. The following numbers will seem a little inflated (since spam performance metrics always appears better on weekends) but they are still interesting. Of all the messages with PDF attachments that we scanned this weekend, 85% of them were messages that contained nothing in the subject line. Also, of all the PDF attachment messages, 75% of them had SPF None in the SPF check. 5% had SPF Neutral, 5% had an SPF Hard Fail and 11% had an SPF Soft Fail. Less than 1% passed an SPF check, I’m betting those are legitimate. I’m in a bit of a quandary about how to handle mail that is not authenticated. Most domains don’t use any type of authentication, but it would be much easier to reject mail from domains that didn’t do it if they contained suspicious content (such as a PDF attachment). The thing about non-authenticated mail is that while technically we can’t make a judgement one way or the other about it, we can use sending history of mail that is not authenticated combined with other characteristics to get a reasonable guess that mail from the IP is probably spam.
Read More… (From Terry Zink’s Anti-spam Blog)
-
Categories
-
Archives
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Aug | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
-
Links
Introducing a unique
way of killing spam: SpamShootout! Available exclusively in:
E-mail Client for Windows Download Free Trial
(POP3/SMTP/SSL)
View Demo
Screenshots
Features
-
Admin
(This is the text of my weekly Loose Wire Service column, syndicated to newspapers like The Jakarta Post. If you’re an editor interested in subscribing to the service, drop me a line. Regular readers of the blog, meanwhile, will be…
Read More… (From loose wire blog)
The spam on my Debian mail system is getting intolerable; 30+ stock pumping spams are getting through the gauntlet every day now. via Nelson’s Weblog
Read More… (From Email Spam News)
Do portraits of them as ASCII art. Amit Agarwal, an India-based blogger of impeccable test and refinement, does some very cool pictures of 100 bloggers. Including that picture of me looking smarmy in the middle of the kampung: ASCII Art:…
Read More… (From loose wire blog)
“While the US remains top spam dog, the latest chart emphasizes the urgent need for joined-up global action to combat this growing problem”
At the same time that spam has shifted to carrying PDF files to slip past spam-filters , Sophos has released their study of the top 12 spamming countries from the 2nd quarter of 2007. via EbizQ
Read More… (From Email Spam News)
I would like to know this man’s real name. I would like to know the names of all the merchants he worked for. via Scribal Terror
Read More… (From Email Spam News)
Posted Jul 19th 2007 8:21AM by Kevin Kelly Filed under: Good news , Scandals In a move that many consider to be long overdue, the FBI appears to finally be getting serious about spammers and their corrupt and … via Blogging Stocks
Read More… (From Email Spam News)
“N33d m0ney right now? One-hour payday loans”
One of the primary concerns you will have as a blogger or developer of content sites is filtering porn and spam. via Peter Bromberg’s UnBlog
Read More… (From Email Spam News)
I use Gmail as my central email repository and usually the spam filters they use are pretty good. via Martin McKeay’s Network Security Blog
Read More… (From Email Spam News)
Posted Jul 16th 2007 11:44AM by Brian Alvey One of the nice things about not checking email for a couple of days is that I get to catch up on all of my spam. via The Brian Alvey Weblog
Read More… (From Email Spam News)
Filed under: Online - Mags @ 1:17 am Alert Janeite Adrienne was astonished to discover that a spam e-mail she received contained a snippet of text from Emma . via AustenBlog . . . she’s everywhere
Read More… (From Email Spam News)
Just a few items worth mentioning from the SpamSuite web site.
Most interesting, is Mark Ferguson’s affidavit in support of Spamhaus’ motion to dismiss on jurisdiction. Nothing unexpected here; it contains his assertions that he does not live in Illinois or do business there, and that E360Insight was definately sending him spam. Exhibit VII is the most interesting, as it contains a claim from E360 that they had the signup information for Ferguson. The problem is, the alleged signup information uses a bogus IP address, indicating that it was forged after the fact.
Read More… (From The Spam Diaries)
“A bunch of egocentric gossipers talking about the daily crap in their lives.”
The latest uproar in the blogosphere is a new service which will pay bloggers to comment on blogs. via The Blog Herald
Read More… (From Email Spam News)
Defining purpose, focus and audience Let’s get started on the first one, collecting stats on our target blog, Performancing.com. 1. Collect Stats This is a 3-part process: basic blog stats comparison with top … via Performancing.com
Read More… (From Email Spam News)
A lot of people ask me whether they shouldblog. Usually I give them the stock answer: blog because you’ve got something to say,because you feel you’ve got to write, and because you want to connect toother people on the same…
Read More… (From loose wire blog)
I continue my brief hiatus from sender authentication to comment on the amount of spam we’re seeing.
We continue to see high levels of spam not seen on our networks in previous times. They haven’t really dropped off at all since they started hitting record highs last Tuesday, June 26.
There are two different kinds of spam that are causing some headaches lately. The first is stock spam attached in a pdf file. I realize that I am late to the party in commenting about this (!) but to summarize it, it’s image spam pumping a stock except that the image is contained within a pdf file. There’s a second kind of pdf spam with a really nice-looking prospectus about a penny stock. It almost looks professional. Clearly, spammers are doing this because they figure that sending out spam with images in the message just isn’t doing the job anymore. They are betting that spam filters can’t scan pdf attachments.
I won’t comment one way or the other on that particular assumption, but the spammers are varying their tricks. At first, they were sending out reports with pdf attachments named “Report.pdf” or “Request.pdf.” Recently, they have started varying their tactics and are using a variety of attachment names like “invoice.pdf” or “post.a2bf4tgh5.pdf.” This is a very typical spammer trick - they start small with predictable text and then start using all sorts of variations. They can react fairly quickly so my bet is that the first round of predictable attachment names wasn’t working as well as they had hoped.
The second type of spam that we are seeing (again, I’m late to the party in commenting about this, but I digree) is greeting card spam. As has been pointed out in other blogs, this message says “You have received a greeting card! Click here to view it!” The link, of course, takes you to a web page where you are invited to download some malware onto your system. Spammers have started varying their subject lines, whereas before they read “You have received a greeting card” they now read “Happy 4th of July!” Again, this is a tactic that spammers have used over and over again in the past - using current events in the subject line. I wonder what they’re going to do now that Independence Day has passed?
From an anti-spam perspective, I am hesitant to reveal whether or not we in EHS are any good at dealing with both types of spam; I’m not one to tip my hand in public. However, let me say this: I’ve been around a while and the tactics I am seeing are new variations on old techniques.
Update July 6, 2007: Well, it finally happened. Spammers have moved beyond pdf stock spam and are now using it for pharmacy spam. I guess they found out that putting spam in a pdf is useful.
I continue my brief hiatus from sender authentication to comment on the amount of spam we’re seeing.
We continue to see high levels of spam not seen on our networks in previous times. They haven’t really dropped off at all since they started hitting record highs last Tuesday, June 26.
There are two different kinds of spam that are causing some headaches lately. The first is stock spam attached in a pdf file. I realize that I am late to the party in commenting about this (!) but to summarize it, it’s image spam pumping a stock except that the image is contained within a pdf file. There’s a second kind of pdf spam with a really nice-looking prospectus about a penny stock. It almost looks professional. Clearly, spammers are doing this because they figure that sending out spam with images in the message just isn’t doing the job anymore. They are betting that spam filters can’t scan pdf attachments.
I won’t comment one way or the other on that particular assumption, but the spammers are varying their tricks. At first, they were sending out reports with pdf attachments named “Report.pdf” or “Request.pdf.” Recently, they have started varying their tactics and are using a variety of attachment names like “invoice.pdf” or “post.a2bf4tgh5.pdf.” This is a very typical spammer trick - they start small with predictable text and then start using all sorts of variations. They can react fairly quickly so my bet is that the first round of predictable attachment names wasn’t working as well as they had hoped.
The second type of spam that we are seeing (again, I’m late to the party in commenting about this, but I digree) is greeting card spam. As has been pointed out in other blogs, this message says “You have received a greeting card! Click here to view it!” The link, of course, takes you to a web page where you are invited to download some malware onto your system. Spammers have started varying their subject lines, whereas before they read “You have received a greeting card” they now read “Happy 4th of July!” Again, this is a tactic that spammers have used over and over again in the past - using current events in the subject line. I wonder what they’re going to do now that Independence Day has passed?
From an anti-spam perspective, I am hesitant to reveal whether or not we in EHS are any good at dealing with both types of spam; I’m not one to tip my hand in public. However, let me say this: I’ve been around a while and the tactics I am seeing are new variations on old techniques.
