The season of spam: record growth, record irritation

There is 17% more spam heading for in-boxes today than there was yesterday, and spam watchers say it could get even worse before the summer is over.

Reports from security vendors that trap unwanted messages in their spam filters are bordering on the hysterical as new data emerges daily regarding just how bad the spam epidemic has become. PDF spam, the latest trick, is leading the charge and destined to become this year's version of image spam that fooled filters and clogged inboxes for a good part of 2006.

As the spam barrage continues and spammers come up with one new trick after the next, some question whether scanning an e-mail message's content is still an effective way of detecting unwanted messages.

"The growth (and now peak) of image-based spam is just another outgrowth of the ever-changing spammer dynamic. We have seen some PDF-based spam, and I expect it to grow more. However, it simply represents another 'tool in the arsenal' for the typical spammer," says David Salbego, Unix and operations manager of computing and information systems with Argonne National Laboratory, a division of the Department of Energy (DOE) operated out of the University of Chicago. "Ultimately, filtering spam at the content level will become less and less effective. A better way to control spam, in my opinion, is by considering the source of the message -- the IP address of the mail server attempting to deliver the message."

Indeed, most messaging security vendors now employ a number of techniques to catch spam, including relying on reputation services, which assign a score to sending IP addresses based on that address's past behavior. But no combination of techniques is foolproof, and every time spammers try out a new trick e-mail users suffer until the vendors catch on to the trick and find a way to block those messages.

For example, After a few years of spam volumes on the decline, e-mail users with hit with a sharp rise in spam last fall, when spammers figured out that by embedding text inside an image file they could fool content filters. At the same time there was a significant rise in spammers' use of botnets, armies of PCs taken over by malware and turned into spam servers without their owners realizing it. That can confuse reputation services, because IP addresses that previously had clean reputations suddenly start sending out thousands of messages at once. Those tricks combined accounted for as much as an 80 percent rise in spam levels last October, according to spam watchers.

Page Break

Now, as antispam filters have been updated to catch image spam, spammers have moved on.

According to Secure Computing, which reported the 17 percent jump in spam levels today over yesterday, spam currently accounts for 88 percent of all e-mail traffic and PDF spam makes up 11 percent of that figure. With current spam levels close to the all-time high of 90 percent, Secure Computing predicts that record will be matched or broken in the next 30 days, according to a company spokesperson.

Messaging security service provider Postini says it saw the biggest spam blast ever from Aug. 7 to 9. The blast, launched from a botnet, combined two popular spam tricks; attached to the e-mail message was a PDF file that many filters can't read to determine whether the content is spam, and the attached file was a "pump and dump" scheme that promoted buying the stock of a company called Prime Time Group.

During this spam blast, spam volume jumped 53 percent in one day, says Postini, and the value of Prime Time Group's stock climbed 20 percent, leaving the spammer -- who likely sold the stock once the price was adequately inflated -- a lot richer.

Meanwhile, spam watchers at McAfee have already spotted a trend within the PDF spam trend. On Aug. 10 the McAfee Avert Labs blog told of FDF spam, messages that use the file extension .FDF instead of .PDF, most likely in an attempt to fool antispam filters that have been updated to scan PDFs for signs of spam.

Proofpoint on Tuesday reported that PDF spam has grown from 5 percent of all spam when it was first detected in late spring to its current 25 percent of all spam. The company also announced that its antispam technology has been updated to catch PDF spam as well as other forms of "attachment spam," such as those with attached Excel files that contain text, as have a handful of other antispam vendors.

And so users of those upgraded products will be protected, until spammers come up with their next trick.