Some notes on PDF spam


I started tracking some statistics on pdf spam this weekend.  The following numbers will seem a little inflated (since spam performance metrics always appears better on weekends) but they are still interesting.

Of all the messages with PDF attachments that we scanned this weekend, 85% of them were messages that contained nothing in the subject line.  Also, of all the PDF attachment messages, 75% of them had SPF None in the SPF check.  5% had SPF Neutral, 5% had an SPF Hard Fail and 11% had an SPF Soft Fail.  Less than 1% passed an SPF check, I'm betting those are legitimate.

I'm in a bit of a quandary about how to handle mail that is not authenticated.  Most domains don't use any type of authentication, but it would be much easier to reject mail from domains that didn't do it if they contained suspicious content (such as a PDF attachment).  The thing about non-authenticated mail is that while technically we can't make a judgement one way or the other about it, we can use sending history of mail that is not authenticated combined with other characteristics to get a reasonable guess that mail from the IP is probably spam.

Comments (2)

  1. Norman Diamond says:

    > (since spam performance metrics always appears

    > better on weekends)

    (Huh?)

    > 75% of them had SPF None in the SPF check.  5% had

    > SPF Neutral, 5% had an SPF Hard Fail and 11% had an

    > SPF Soft Fail.

    Forgot what to ask what SPF category messages fall into when the From: line doesn’t even have a hostname.  Yahoo has a spam filter that used to work more than half the time, with additional features that pretended to learn from Yahoo’s paying customers, but somehow they haven’t even learned that From: lines with no hostname have a high rate of spammishness.  I’ve probably marked and reported more than 50 like that now.

    > I’m in a bit of a quandary about how to handle mail

    > that is not authenticated.

    Even if no one can agree yet on which kind of authentication to use, I think there’s been enough time to agree that every ISP would use at least one kind.  Maybe give a month’s notice and say that senders who use no authentication will be rejected after that.  But allow individuals to whitelist exceptions from whom they themselves can receive unauthenticated mail.

  2. tzink says:

    When I say spam performance is better on weekends, I mean that if we filter 90% of email during the weekdays, on weekends it will be closer to 97% so the numbers look inflated.

    > Forgot what to ask what SPF category messages fall

    > into when the From: line doesn’t even have a hostname.

    That would be SPF None.

Skip to main content