Commtouch Software said it saw a massive surge in PDF spam earlier this week.
About 10 percent to 15 percent of all spam in one day arrived with PDF attachments, according to the Israeli security company's estimates.
"Given the fact that these messages are nearly four times bigger than standard spam messages, this increases overall global spam traffic by 30 percent to 40 percent," said Rebecca Herson, senior director of marketing.
So far, the outbreak has involved 14 billion to 21 billion PDFs and shows no signs of slowing, Herson said.
An analysis of the outbreak over a six-hour period showed it to be a truly global zombie-distributed spam attack, Herson said. About 24 percent of the spams were from the US, 14 percent were from Taiwan, and China and Russia accounted for 10 percent and 4 percent, respectively, she said. In all, PDF spam emails are being distributed by computers in 167 countries, she said.
According to Herson, the technique of sending messages as PDF attachments is relatively new and was first detected only a few weeks ago. The current outbreak shows that spammers have widely adopted the technique, she said.
"The popularity of the PDF format for legitimate business communications makes it difficult for traditional anti-spam solutions to block effectively without causing massive false positives," she said.
Spammers seem to be aware of this fact and don't even appear to be trying to disguise their messages, she said. Unlike image spam messages, which were relatively easy to detect, "these look like standard business letters until you look at the contents and see they are about organ enhancers and stock tips," she said.
The spike in PDF spam comes even as there are reports of a steady decline in image spam, which in January constituted more than half of all spam. Symantec, which publishes a monthly spam report, noted a continuing drop in image spam to just over 16 percent of all unwanted messages in May, compared with 27 percent in April and 37 percent in March.
"The drop in image spam this year has been significant," Doug Bowers, senior director of anti-spam engineering at Symantec, said in a statement. "It's clear that spammers are focusing on other techniques such as using links to hosted images to try and get their messages through."
As a result, the spike in PDF spam reported by Commtouch is not surprising or unexpected, Bowers said. "One of the things we have noticed is that spammers are going to poke around one way or the other" to break through anti-spam efforts, he said. Although spammers have been using PDF messages for some time, it is only recently that the growing number of such messages has pointed to a trend, according to Bowers.
"Absolutely, there's been a jump," said Matt Sergeant, a senior anti-spam technologist at UK-based MessageLabs. "Spammers have definitely switched to PDF. Who knows whether it's temporary or permanent, but they're using them in ways once [reserved] for image spam."
Although Sergeant did not cite specifics, he said "a couple of major kingpins of spam" had recently moved to PDF-based messages. "They account for about 50 percent of the spam on the Internet, so when they switched, it created a huge volume of PDF spam."
According to Sergeant, spammers are using PDF in two ways. "The first is a static PDF that they've generated from something like Microsoft Word," he said. The second is more dynamic and automated, and it involves dropping the images cranked out by spam generators into a PDF file, Sergeant said. "The first is used to make the emails look more legitimate," he said, especially when used in "pump-and-dump" stock-scam spam.
Parsing a PDF as possible spam, however, isn't any more difficult for a top-tier security vendor than figuring out whether an image is delivering a spammer's shill, said Sergeant. "One thing that helps [us] is that the PDF specification is widely available," he said.
"But that's also what probably makes it so attractive to spammers, who can use the spec to come up with [creation] engines," Sergeant noted.
Gregg Keizer contributed to this report.