Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml
This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language. I've only found two of these so far.
>From a technical point of view, it's interesting (aka annoying), because
it's a LOT smarter than the 2nd wave stock fuzzy images.
Most notable are:
- no longer has an empty text part (that was a dead give away)
- instead of an empty RealName, uses the account name
(ok, that's a bit dumb)
- does not put the attachment filename in the Subject
(still has "PDF" somewhere)
- uses different (less obvious) PDF generator software
(none of my old (albeit cautious) tags hit)
- uses "application/octet-stream" instead of "application/pdf"
as the Content-Type
- has a bogus anti-viral text part as the final part of the message
I've updated my own rules to look for that content type, and some
obvious new tags.
Dallas, based on what you've posted, I'm pretty sure I know some of the
tags you were keying on, and suspect this new style breaks those.
This sample does have several good candidates for new tags (possibly
even more distinctive than the previous style - I haven't done a mass
check yet).
My gut instinct is that these are different gangs, and almost all of the
PDFs I'm seeing are still the previous style, so existing solutions
should still be useable for some time.
On my system, these have all been stopped by a combination of
"small PDF", Nation of origin/route, and bogus Realname tests.
There is one other potentially interesting pattern, but with only two
data points to extrapolate from, I will resist the temptation to draw a
straight line. :)
Does anyone have a sample of the very FIRST wave? The ones that looked
like a prospectus? I've seen a screen dump, but that's useless for
analysis.
- "Chip"
