Some notes on PDF spam

I started tracking some statistics on pdf spam this weekend.  The following numbers will seem a little inflated (since spam performance metrics always appears better on weekends) but they are still interesting.

Of all the messages with PDF attachments that we scanned this weekend, 85% of them were messages that contained nothing in the subject line.  Also, of all the PDF attachment messages, 75% of them had SPF None in the SPF check.  5% had SPF Neutral, 5% had an SPF Hard Fail and 11% had an SPF Soft Fail.  Less than 1% passed an SPF check, I'm betting those are legitimate.

I'm in a bit of a quandary about how to handle mail that is not authenticated.  Most domains don't use any type of authentication, but it would be much easier to reject mail from domains that didn't do it if they contained suspicious content (such as a PDF attachment).  The thing about non-authenticated mail is that while technically we can't make a judgement one way or the other about it, we can use sending history of mail that is not authenticated combined with other characteristics to get a reasonable guess that mail from the IP is probably spam.