Ex Spamfrica, semper aliquid novi. PDF spam is only a few weeks old, and the stock spammers are already trying something new. Check your mailbox for the first wave of stock spam sent as Excel spreadsheets (.xls).

Excel spam is a logical development of the current trend. Spammers originally moved to embedded image spam — using JPEGs and GIFs — as a way around text-based spam filtering. When the filter authors started adding OCR capabilities to their filters, the spammers responded by distorting the images to make them unreadable. Unfortunately for the spammers, an image that is unreadable by a machine is also often difficult for humans to read, and the distorted appearance of the resulting images acted as a reminder that the message was a con. The more extreme the distortion, the less 'legitimate' the message appears to be. In time, even the most naive investors must have started rejecting the 'hot tips' arriving in their mailbox as badly-mangled JPEGs full of blurry three-color text.

The other disadvantage is that the mere presence of a JPEG or GIF attachment started to look suspicious. The spam filters didn't even need to try to read the — by now completely unintelligible — image. They just needed to note that the message contained an image and add a few points to the spam score. Combined with other indicators, this was often enough to allow the image spams to be reliably detected.

The spammers shifted tactics again. Instead of JPEG or GIF images, they attached their pitches as PDF documents. The reasoning here was presumably that corporate IT departments would be reluctant to reject something that might be a contract or some other important document. You can confidently say No stranger needs to send me a GIF image, but a business might well hesitate to reject PDF attachments.

PDF spam showed a rapid evolution. Some early PDF spams simply embedded the same jumbled images as before inside a PDF. PDFs of this kind were used to advertise VPSN.PK, ERMX.OB and SZSN.OB. The problem for the spammers is that that's a giveaway: a PDF that embeds an image is easy to recognize. The spammers shifted back to text-based PDFs that looked more like the kind of corporate documents they hoped to mimic (and had the advantage of being smaller as well), using them to advertise PAYI.OB. But in doing so, they ran into the age-old problem of readability. Text-based PDFs can be pulled apart and filtered just like plaintext. So the spammers applied the same solution as they did for plaintext — hashbuster text, chunks of random gibberish added to the 'payload' to confuse filters. The second wave of PDF spam for SZSN.OB is of this type, with a short pitch for the stock on the first page followed by five pages of random strings.

Now we have Excel spam, in which the stock pitch is sent as an Excel spreadsheet. Again, the spammers are hoping that IT departments will be reluctant to block what might be important documents. They're also counting on the fact that Microsoft formats tend to be awkward to parse (particularly on non-Windows platforms), so it may take a while for the filter developers to be able to develop software to efficiently dismantle and process the attachments. Word and Powerpoint spam may follow in due course and no doubt some enterprising spammer will eventually try MP3 spam (probably using linked files rather than embeds, for size reasons).

So far, my spamtraps haven't picked up any Excel stock spam directly. Instead, I'm seeing a wave of backscatter, mostly from German domains. The rejected messages contain attached Excel documents with an English-language pitch for a Frankfurt stock, Exchange Mobile Telecommunications Corp. I'm seeing the bounces because the Excel documents are being rejected by corporate anti-virus software on the lookout for macro viruses: Excel documents, like Word documents, are of questionable acceptability. Filters may be as likely to reject them on the grounds that they're a potential vector for infection as they are to accept them on the grounds that they could be important.

The constant mutation of stock spam suggests that the spammers are seeing a fall in profits and are attributing it to more effective filtering. But there could be another reason, which is that the pool of naive investors is shrinking steadily. Those who are willing to invest money based on a strangely-presented 'tip' from a stranger have probably tried their luck already and been burned. Others may have seen news coverage of stock spam, or absorbed the general lesson that nothing advertised by spam is ever worth buying. There will always be idiots with money to lose, but there are probably fewer of them than before.

The bad news for the spammers is that that's not a problem that they can resolve simply by changing file format again.