Moundalexis.com

New PDF Attachment Spam

As of last night I'm getting PDF attachment spam and the filters aren't getting them. Content analysis isn't catching them because there's nothing in the content of the email to analyze. Just the attachment. The subject always specifies the name of the attachment and sure enough the PDF is attached to the email. I receive catch-all email for my domain, and these emails appear to be addressed to a variety of people that don't exist (although one was addressed to my contact address linked below). As of last night I'm getting PDF attachment spam and the filters aren't getting them. Content analysis isn't catching them because there's nothing in the content of the email to analyze. Just the attachment. The subject always specifies the name of the attachment and sure enough the PDF is attached to the email. I receive catch-all email for my domain, and these emails appear to be addressed to a variety of people that don't exist (although one was addressed to my contact address linked below).

In all of them the following header is present, without exception. I suspect this header is forged.

User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)

I've seen the following variations on the subject line. In all cases, the actual attachment filename is substituted.

Re: File.pdf
Fwd: File.pdf
File.pdf attached

Payload attachments have included Alert6203.pdf (17kb), Unpaid.VQU.pdf (23kb), Chequecfjy.pdf (25kb), Unpaidvpr.pdf (20kb), Bulletinf.pdf (29kb), cashed.wlajd.pdf (21kb), and Journal.pdf (19kb). They always seem to be slightly different names. I haven't dared open the PDFs to see if they're valid, but if it's anything like fax spam it's probably pump-and-dump stock garbage.

A few of the originators include:

Received: from unknown (HELO yukx) (196.37.71.76)
Received: from [103.239.167.221] (helo=vxnnk)
Received: from uvq ([129.204.55.62])
Received: from [205.123.79.171] (helo=pfi)
Received: from htt ([201.235.128.221]) by cpe-065-191-128-181.nc.res.rr.com with
    Microsoft SMTPSVC(5.0.2195.6713); Wed, 27 Jun 2007 03:18:26 -0400
Received: from zrc ([50.121.98.132]) by adsl-1138.camtel.net with Microsoft
    SMTPSVC(6.0.3790.1830); Wed, 27 Jun 2007 00:55:06 -0500
Received: from fhzpv ([206.104.160.239]) by m1-3.customer.lyse.net with
    Microsoft SMTPSVC(5.0.2195.5329); Wed, 27 Jun 2007 06:55:04 +0200

The random gibberish hostnames and range of IP addresses suggest zombie PCs. Perhaps a few with actual MTAs, since all messages got past greylisting.

I hate zombies. Especially smart ones.