I continue my brief hiatus from sender authentication to comment on the amount of spam we’re seeing.
We continue to see high levels of spam not seen on our networks in previous times. They haven’t really dropped off at all since they started hitting record highs last Tuesday, June 26.
There are two different kinds of spam that are causing some headaches lately. The first is stock spam attached in a pdf file. I realize that I am late to the party in commenting about this (!) but to summarize it, it’s image spam pumping a stock except that the image is contained within a pdf file. There’s a second kind of pdf spam with a really nice-looking prospectus about a penny stock. It almost looks professional. Clearly, spammers are doing this because they figure that sending out spam with images in the message just isn’t doing the job anymore. They are betting that spam filters can’t scan pdf attachments.
I won’t comment one way or the other on that particular assumption, but the spammers are varying their tricks. At first, they were sending out reports with pdf attachments named “Report.pdf” or “Request.pdf.” Recently, they have started varying their tactics and are using a variety of attachment names like “invoice.pdf” or “post.a2bf4tgh5.pdf.” This is a very typical spammer trick – they start small with predictable text and then start using all sorts of variations. They can react fairly quickly so my bet is that the first round of predictable attachment names wasn’t working as well as they had hoped.
The second type of spam that we are seeing (again, I’m late to the party in commenting about this, but I digree) is greeting card spam. As has been pointed out in other blogs, this message says “You have received a greeting card! Click here to view it!” The link, of course, takes you to a web page where you are invited to download some malware onto your system. Spammers have started varying their subject lines, whereas before they read “You have received a greeting card” they now read “Happy 4th of July!” Again, this is a tactic that spammers have used over and over again in the past – using current events in the subject line. I wonder what they’re going to do now that Independence Day has passed?
From an anti-spam perspective, I am hesitant to reveal whether or not we in EHS are any good at dealing with both types of spam; I’m not one to tip my hand in public. However, let me say this: I’ve been around a while and the tactics I am seeing are new variations on old techniques.
Update July 6, 2007: Well, it finally happened. Spammers have moved beyond pdf stock spam and are now using it for pharmacy spam. I guess they found out that putting spam in a pdf is useful.