homepage Welcome to WebmasterWorld Guest from 54.145.183.169
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Security: PDFs Can't Always Be Trusted
engine

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



 
Msg#: 3410757 posted 6:08 pm on Aug 1, 2007 (gmt 0)

Security vendors have warned e-mail users to be as vigilant about PDF attachments as they would for other documents, after seeing a sharp rise in spam embedded within PDF documents.

E-mail security vendor Messagelabs reports that PDF's made up 20 percent of image-based spam messages in July, up 10 percent on the month prior. Image-based spam makes up around 22 percent of total spam, the company said.

The security company believes attackers are using the PDF format due the fact that it more easily bypasses antivirus and anti-spam filters, and that users tend to trust the authenticity of a PDF over other types of documents, even if they don't recognise the sender.

PDFs Can't Always Be Trusted [zdnet.com.au]

Once again, take care, especially with the pdf spam going round.

 

bwnbwn

WebmasterWorld Senior Member bwnbwn us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3410757 posted 6:51 pm on Aug 1, 2007 (gmt 0)

"Adobe and anti-virus researchers said they have received no reports from customers of virus-infected PDF files. But the company confirmed that infected documents or malicious programs could be embedded within a PDF file using a Microsoft-developed technology called object linking and embedding (OLE), introduced in Acrobat version 4"

I don't think the no reports is correct one thing for sure I know there is a big problems with bad pdf's on wiki.

trinorthlighting

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3410757 posted 7:10 pm on Aug 1, 2007 (gmt 0)

We have been getting a lot of spam on PDF files on all of our emails recently. Most are the stock hype scheme type. We have actually forwarded some to the SEC so they can crack down on the stock hype schemes. Basically, they hype of penny stocks hoping the price will rise then sell off at a profit.

jsinger

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 7:17 pm on Aug 1, 2007 (gmt 0)

hoping the price will rise then sell off at a profit

That needs to be corrected. The sole purpose of stock spam is to create trading volume to absorb the sale of illiquid stock by the pumper. There is rarely much of a price increase because the pumper is selling from the outset.

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 7:25 pm on Aug 1, 2007 (gmt 0)

The surge of PDF spam mails started at least six weeks ago. I know of people getting dozens to hundreds of those per day.

sem4u

WebmasterWorld Senior Member sem4u us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 7:29 pm on Aug 1, 2007 (gmt 0)

I have had a load of PDF spam emails recently and I have just been deleting them as they come into my inbox. We block thousands of spam emails a day but these are coming through as are some with .zip attachments. Be careful folks. Anti-virus software can be great but it is only as good as the last update.

pontifex

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 7:43 pm on Aug 1, 2007 (gmt 0)

more annoying was, that these spam mails suddenly started to pass the spam filters more than gif or jpg attachments. i have had suddenly much more spam in my inbox.
P!

blend27

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 8:10 pm on Aug 1, 2007 (gmt 0)

--- pass the spam filters more than gif or jpg attachments ---

Personally I havenít gotten one, Yet, nor any email account on several domains I manage that have GreyListing enabled.

On the other hand, the email software should have a feature that enables administrator to activate to receive attachments only from the trusted source. Once the source is compromised, the ISP that is liable for spam delivered should paying an hourly rate to the person who opened an email. This might sound like BLAH but money talks, sometimes backwards is the only way to go.

Rodney

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 8:30 pm on Aug 1, 2007 (gmt 0)

I've been getting dozens of the PDF spams per day. It did seem to start about 6 weeks ago or so.

I have spam filters in place, and they block the JPG spam just fine, but the PDF spam has gotten through (although it does seem to be learning and getting better).

It's annoying because I actually get PDFs from clients, so the staff has to be extra vigilant.

I actually thought they were viruses and not spam, so I just don't open them.

zeus

WebmasterWorld Senior Member zeus us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 11:13 pm on Aug 1, 2007 (gmt 0)

ohh i have seen those for 2 month now, but ok 98% of my mails are spam, so im always up to date.

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 11:38 pm on Aug 1, 2007 (gmt 0)

I don't remember the exact date. I just recalled a rough timescale from memory. I no longer have an electronic record back that far of what was deleted.

klown

5+ Year Member



 
Msg#: 3410757 posted 1:43 am on Aug 2, 2007 (gmt 0)

Around 5 weeks ago my office got completely flooded with these pdfs. Its still going on now, I'm getting a bit of satisfaction that I'm not the only one expected to deal with this.

isorg

10+ Year Member



 
Msg#: 3410757 posted 2:40 am on Aug 2, 2007 (gmt 0)

Someone is using my domain name as a return-to address and I'm getting 500 bounced PDF and ZIP email a day :-(

techrealm

10+ Year Member



 
Msg#: 3410757 posted 7:25 am on Aug 2, 2007 (gmt 0)

ISORG: when that has happened to me the most likely cause it I had a catchall email address setup on the domain(s). Remove the catchall and setup forwarding email addresses for the addresses you need / desire and just bounce the rest.

I have one desktop instance of a link followed in the "spam" pdf's installing a worm email virus with up to date antivirus watching (grumble); this happened Tuesday last week. The end results were not funny...

designhaus

10+ Year Member



 
Msg#: 3410757 posted 8:14 am on Aug 2, 2007 (gmt 0)

Thanks for this warning Engine. I have personally had huge amounts of spam myself with PDF attachements. My Merak spam filter doesnt seem to stop them either.

Visit Thailand

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 8:22 am on Aug 2, 2007 (gmt 0)

I had a catchall email address setup on the domain(s). Remove the catchall and setup forwarding email addresses for the addresses you need / desire and just bounce the rest.

Doesn't this just pass the problem onto someone else? I see how it helps the webmaster of the domain in question but if we bounce them doesn't that just pass on the problem?

I also have been receiving a lot of .pdf attachment spam. Not opened one yet but must admit they are quite clever as the name of the attachment and subject line are quite on target for me.

isorg

10+ Year Member



 
Msg#: 3410757 posted 8:36 am on Aug 2, 2007 (gmt 0)

Thanks Techrealm. That's a good idea.

Visit Thailand: I have visions of these spam PDFs endlessly bouncing around the internet for eternity :-)

TammyJo

5+ Year Member



 
Msg#: 3410757 posted 12:47 pm on Aug 2, 2007 (gmt 0)

Shoot! Where was I yesterday when this was mentioned!

I just sent out pdf information to our list of past and present advertisers (not something we do much). I wonder how many of them just dumped it without even opening it!

WesleyC

5+ Year Member



 
Msg#: 3410757 posted 1:27 pm on Aug 2, 2007 (gmt 0)

I also have been inundated in these things. Every single one seems to have NO body content whatsoever, only a moderately well-targeted subject line and attachment name.

engine

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



 
Msg#: 3410757 posted 1:42 pm on Aug 2, 2007 (gmt 0)

Remember, it's what may be embedded as a payload that is a bigger concern.

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 7:29 pm on Aug 2, 2007 (gmt 0)

One of the payloads is a nasty rootkit and multiple virus files.

techrealm

10+ Year Member



 
Msg#: 3410757 posted 8:49 pm on Aug 2, 2007 (gmt 0)

Doesn't this just pass the problem onto someone else?

Mostly no as the email are typically "sent from" from false accounts so the bounces time out and are simply lost to age. And two by having a catchall in place your server when queried to check that the email address is good will send a yes that address is good answer and allow the email to send out.

Another Short answer is that most ISP's request you phase out use of catchalls on their servers for various technical reasons.

I also have been receiving a lot of .pdf attachment spam. Not opened one yet but must admit they are quite clever as the name of the attachment and subject line are quite on target for me.

:-) ahh yes then someone you know may have been infected by a worm version and that is copying the email address book and miscellaneous email data to auto generate the spam / worms / rootkits.

its all fun stuff...

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 9:18 pm on Aug 2, 2007 (gmt 0)

One way that spammers operate, is by purposely using servers that actively bounce messages back to the supposed sender, to distribute their spam to their intended victims.

Most email systems don't filter out as spam any messages that are supposedly telling you that some other message that you have sent has now been bounced by the recipient.

So, the spammer sends thousands of messages addressed to you, and each one is bounced by your server. Each message came from a different email address, and that "from" email address is the target email address that the spammer actually wanted the spam sent to.

I would silently blackhole those messages, or else configure the server to send a "message not delivered" response without including the content of the original mail.

Chico_Loco

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 2:26 am on Aug 3, 2007 (gmt 0)

Noticed increase in these too of late, now up to about 3 daily, but one question only: Do they impact the "Preview" application on OS X?

Don't use Windows so couldn't care less about that!

Visit Thailand

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3410757 posted 5:29 am on Aug 4, 2007 (gmt 0)

So do I understand it that there is no negative to removing the catchall? I do not want to add to the bouncing email problem.

sonny

10+ Year Member



 
Msg#: 3410757 posted 1:48 pm on Aug 11, 2007 (gmt 0)

I've been receiving this email every day for the last month or so around the time the .pdfs' started flooding in:
"You have reached your current SMTP relay limit of 1000 per day on the following hosting account:"

I use godaddy's virtual hosting.
Any ideas on how to fix this?

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3410757 posted 9:30 pm on Aug 11, 2007 (gmt 0)

Do you allow messages to be sent to anyname@yourdomain.com or do you just allow a few combinations?

sonny

10+ Year Member



 
Msg#: 3410757 posted 4:00 am on Aug 12, 2007 (gmt 0)

I noticed that the default response for 'anyname' was to bounce it back with a message. These count towards the 1000 message limit. I changed it to 'reject'. Hopefully this will resolve it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved