With a steep decline in the amount of image spam activity over the past seven months, wishful thinkers may have believed that the pesky junk e-mail would be disappearing from their e-mail boxes forever. Think again. While image spam may be declining, it’s not going away; in fact it’s simply morphing to a new variety of spam. Say hello to PDF spam.

Incorporated as a PDF attachment to an e-mail, PDF spam is, in essence, the same attempt by spammers to annoy, offend and/or defraud recipients. Same spam, new attempt to get past e-mail antispam filters. For businesses, PDF spam is the most significant trend in spam, and another way to waste employee time and sap valuable network bandwidth and storage resources.

Whereas image spam is a message that contains only an image, typically an embedded .JPG or .GIF file, PDF spammers embed text or an image in a PDF file attachment to evade antispam filters. Like image spam, PDF spam most commonly contains what is commonly referred to as “pump and dump” stock schemes, fake glossy brochures that mimic investor collateral and phony advertisements for anything from pharmaceuticals to adult products and services.

The truth of the matter is that antispam products, such as Symantec’s Mail Security family of products, have successfully reduced image spam forcing spammers to find new techniques to evade antispam filters.

While image spam reached its peak in January accounting for 52 percent of all spam, it bottomed out in mid-July at 8 percent, according to figures from Symantec. That’s about the time spam watchers saw an uptick in spam PDF attachments, reported between 2 and 8 percent of all spam in July. For the first ten days of August, PDF spam reached hour to hour spikes of as much as 30 percent of all spam.

PDF spam, like image spam, consumes bandwidth, storage and computer resources. On average, PDF spam is two to three times as large as text spam, and in some instances has swelled to 10 times as large.

As if it’s not bad enough that two out of every three e-mail messages received by today’s business users are spam, according to Nucleus Research, users spend 16 seconds on average identifying and deleting each spam e-mail at a cost of $712 per employee in lost productivity.

“When it comes to PDF spam there’s also an increased need for antispam technology to be more surgical in order to weed out the PDF spam and let in legitimate documents,” says Doug Bowers, senior director engineering for messaging and Web security at Symantec.

Clearly, there’s no time for complacency among e-mail administrators or end users when it comes to spam. Image spam started in the summer 2006 and one year later spammers have concocted PDF spam.

Know thy enemy. Regardless of the type of spam, botnets are the primary source. Typically, a user with a broadband connection visits a particular URL, gets infected with malware and becomes part of a bot network (botnet) that a spammer controls and uses to send out spam. Bot herders commonly control hundreds of thousands of these machines to sending out spam to an attempt to make money. The top spot for bot herders is the U.S., followed by China.

Not only do spammers change spam varieties but they are also varying the nature of the spam attacks. Three to four years ago, spam attacks had a longer duration, i.e., messages were sent out for days or weeks giving antispam vendors enough time to not only figure out how to block the spam but successfully filter messages for days. Today, PDF spam attacks are of short duration and randomized. An attack of PDF spam will continue for an hour, then stop, and then start again.

“With PDF spam and other modern attacks the goal is to respond quickly to burst attacks distributed around the world,” says Bowers.

At the corporate level, companies must continue to be vigilant in their response to spam attacks regardless of the variety. In fact, there are early reports from Symantec of spammers using Excel and Zip file attachments in their commitment to evade e-mail filters and find new spam varieties.

Even older types of spam, such as greeting card spam, are still quite popular. Symantec reported that in July more than 250 million greeting card spam messages were sent. By clicking on the bogus link included in the e-mail a Trojan is downloaded onto the user’s computer.

What to Do?
First and foremost, businesses must deploy an e-mail security solution that blocks spam at the edge of the network before it can eat up storage, bandwidth or gets into archiving systems.

Look for e-mail security solutions that are adaptable and dynamic. For example, image spammers try to confuse e-mail filters by slightly altering the image in each message. Symantec, however, uses enhanced predictive heuristics rule filters in its Mail Security products to respond to attacks as they mutate.

The Symantec Brightmail antispam solution offers multiple layers of technologies to create a web of protection against spam threats. Symantec Mail Security, including the 8300 series appliances, offers more than 20 technologies to help fight spam, including IP reputation services, signature technologies and heuristics.

Once the technology is in place, e-mail administrators must make sure that they’re receiving security updates regularly and monitoring system performance to ensure that the number of spam attacks is declining.

It is also critical to educate users about the most recent trends in spam to help with damage control. So, for example, end users must make sure that desktop security is in place and up to date; users can also exercise caution when visiting URLs and avoid things that just don’t look right. Remote users should only use secure communications, such as a virtual private network (VPN) to connect to the office. For laptop users connecting to the Internet via a consumer ISP, it is critical to make sure security software is installed, working and up-to-date.

When it comes to successfully minimizing spam there are no shortcuts. Companies must being proactive, use robust security solutions and be vigilant.