Where has all the pdf spam gone?

I'm checking our statistics on the amount of pdf spam we're seeing, and after Aug 20 (last week) it seems to have disappeared.

It hasn't disappeared entirely, of course.  But my spam rules that targeted this stuff have gone from a couple million hits per day to a few tens of thousands of hits per day.  There is a very clear delineation at Aug 20.  So, there are a few possibilities:

  1. Spammers have stopped sending pdf spam.  This is either temporary until they start up again (more likely) or they have given up on it completely because the anti-spam community has figured out a way to block it (less likely).
  2. Other spam rules that I have created are hitting pdf spam thus causing some of my tracking rules not to fire.
  3. My stats are wrong and something changed on our internal processes that troll through the logs and update the numbers.
  4. We're blocking the pdf spam mail via blacklists, therefore we don't content scan and hence no statistics.

This is a little weird because we are seeing as much mail as we have ever seen on our network, but my pdf rules have tailed off.

Comments (4)
  1. szurgot says:

    I personally have seen the PDF spam drop off, now it’s the YouTube LMAO phishing scam that I’ve been getting at a rate of about 10 per day.

  2. Justin Mason says:

    hi Terry —

    I haven’t really looked into it, but I would guess that the high volumes of PDF were from the Storm botnet; it appears to have switched to sending that YouTube spam with links to its malware, possibly to "seed" more nodes.

    In our (SpamAssassin’s) spamtraps, Storm output is very heavy these days.

  3. Norman Diamond says:

    I’d have thought that no one would even open a PDF spam except to check whether to send a copy to the SEC.  I thought this would be one of the few cases where spammers would get a net negative result from their activities and that would be why they stopped.

  4. CJ says:

    May be because they switched to a different file format. I saw a few .xls come in after this date.

