Chris Linfoot | PDF pump and dump becoming a deluge

Monday, 9. July 2007

PDF pump and dump becoming a deluge

QV yesterday's piece on the use of PDF in-line to replace GIF images as a delivery vector for pump and dump messages.

We have many, many more sightings over the weekend which appear to emanate from new botnets in India and the USA. Some of these botnets count among their number hosts belonging to organisations which, arguably, should know better.

For example, one sample arrived from the State of Georgia (167.192.0.0/13).

There is one mitigating action which may help you to keep these things out of users' in-boxes.

Most samples I have seen so far have PDF payloads like:

advertisement_51382442584.pdf OR
invoice.GQGRTUT.pdf

If you implement a rule to quarantine messages bearing attachments named

*_*.pdf (underscore in filename)OR
*.*.pdf (period in filename) OR
Update 10 July: *-*.pdf (new sightings of hyphen in filename)

then you will trap most of them although the false positive rate is relatively high (c. 5% here) so you can't just delete them. Not unreasonably, real people do occasionally send PDF attachments with either a period or an underscore in the filename.

Conversely, I have one PDF spam sample here which does not conform, to either pattern, though it is greatly outnumbered by those that do.

This one is named 08072007.pdf, presumably in honour of the date on which it was sent, and it is also a great deal prettier than those others.

Category: Spam characteristics
Technorati: PDF Pump+and+Dump Spam Image+Spam

Comments :

No documents found

Unable to post a comment? Please read this for a possible explanation...