PDF spammers have started varying attachments to fool spam filters, security vendor MessageLabs has warned.

After appearing only a few months ago, the PDF phenomenon now accounted for 20 percent of the image spam passing through the managed service provider’s network, the company said. In the last fortnight, however, new types of modified PDF spam had started appearing.

Spam filters had now adapted, turning PDFs from a document and attachment type automatically trusted into one that was now being filtered by anti-spam engines, causing the spammers to send out new, altered types of PDF. Techniques included altering the rendering size of PDFs, introducing pixel changes to make PDF blocking using signatures impossible, and adding random text within PDFs.

PDFs were also turning up with security features such as encryption turned on, another feature that made it hard to scan within a document to single out spam from genuine PDFs. The overall aim was to generate so many unique PDFs that anti-spam engines would be overwhelmed.

“This is almost certainly being automated by bots,” said Mark Sunner of MessageLabs. “It will eventually be used in conjunction with social engineering techniques,” he added, referring to targeted PDF attacks where real people were sent documents from known contacts.

According to Sunner, the advantage of a managed service company such as MessageLabs was the ability to detect rogue PDFs by analysing information such as IP source. A corporate gateway would not be able to do this because only the ISP itself would be able to see this information with any degree of reliability. “Where the PDF is coming from can also indicate a problem,” he said.

In recent time, third-party systems for verifying the senders and contents of PDF documents have started to appear, including one from Geotrust that takes advantage of Adobe’s Livecycle Document Security server.