Spammers embed images in PDF files to bypass spam filtering software

09 August 2007

Research shows that between 65% and 88% of emails received is considered to be spam. Spam continues to be a headache for administrators and end-users because spammers are constantly trying to stay one step ahead of anti-spam software vendors.

On an individual user basis, spam is annoying; it is a waste of time and often contains spyware, malware and even pornography. On a company-wide basis, the same threats apply however there is also the financial cost to manage spam that must be taken into consideration.

Up to a few months ago, spam was the domain of text- or html-based emails. For anonymous delivery, these messages traditionally relied on abusing open SMTP relays. When open SMTP relays became less common, spammers switched to proxy servers, dial-up services and more recently, hijacked computers. Spammers designed personalized template emails to deliver their messages and then made use of bulk mailing software for distribution.

To block spam, email service providers and companies often relied on keyword ‘detection’, and drew up a list of keywords that commonly appeared in most of the spam email. This list would often include keywords such as ‘viagra’ or ‘bank’. However, this method often blocked genuine email and adding more keywords simply resulted in more false positives which in turn blocked legitimate email. But spammers became smarter too, and they addressed keyword blocking by replacing keywords such as ‘viagra’ to ‘v1agra’.

Another attempt at blocking spam includes making use of blacklists that contain a list of IP addresses of known spammers or compromised hosts. However, these lists have to be constantly updated because spammers have learnt to counteract this by rapidly changing the origin of spam.

By early 2006, most anti-spam vendors had added Bayesian filtering to their arsenal of spam blocking methods. The fight between spam and anti-spam looked like it was taking a positive turn. However, by the end of 2006, the nature of spam had totally shifted.

Whereas spam had been mainly text based, this time spam started looking more graphic in nature. Spammers began making use of images to bypass text-based content filtering, simply by no longer using any text content. By making use of image spam, spammers were attacking the defenses of most anti-spam solutions; while the images displayed text messages to the end users, the anti-spam software was only able to see pixels.

Some email anti-spam solutions decided to go with OCR (Optical Character Recognition) to turn the images into text that the software could then use. However, spammers took their images to the next level. In an approach usually applied to CAPTCHA (an anti-spam solution that is used on web forums), they started fuzzing (including noise and distortions) images to make it even harder for the machine to recognize text. Although it is possible for the machine to read this text, the process is very CPU intensive – especially when it is handling multitudes of images every few seconds.

Although spammers registered considerable success with image spam, the anti-spam software industry had quickly come out with new counter-measures to stop image spam.

As with every cat-and-mouse game, spammers had to respond and in June 2007, they came up with a new technique that is not only ingenious but even more problematic than image spam. Instead of embedding the image within the email itself, they ‘repackaged’ it within an attachment using one of the most common file formats in use today – a PDF file.

This move is clever because email users ‘expect’ spam to be an image or text within the body of the email and not an attachment. Also, since most businesses transfer documents using the PDF format, email users will have to check each PDF document otherwise they risk losing important documentation.

To address the PDF spam threat, administrators need to deploy as many anti-spam techniques as possible, including Bayesian filtering and PDF filtering, while at the same time maintaining a very low level of false positives.

GFI has now released a brand new white paper which explores the PDF spam issue and how to protect against this evolving threat.

For more details, contact GFI Software, Magna House, 18-32 London Road, Staines, Middlesex, TW18 4BP, UK. Tel: +44 (0) 870 770 5370, Fax: +44 (0) 870 770 5377, Email: sales@gfi.co.uk. Web: www.gfi.com

Print version | email this to a friend Email to a friend | View other articles