Stock spammers pumping Prime Time Group Inc have released a flood of PDF spam, which some security vendors claim as the largest ever such flood. It's certainly intense — we're seeing hundreds of messages a day, spread across a wide range of addresses. Addresses targeted include a large number of 'non-existent' addresses, including addresses that were created by other spammers for use in 'From:' lines and have now been picked up and are getting spam in their own right.

Analysis of current PDF messages suggests that there are two groups of stock spammers sending PDF spam currently. The highest volume is being generated by the PRTH.PK spammer, whose output probably makes up a significant proportion of all spam currently being sent. However, there's a second set of PDF spams being sent out at lower volume. In recent days, this sender has sent spam promoting SREA.OB, before switching to CHSH.OB and then to SZSN.OB. The email messages and attached PDFs appear very similar, but minor differences in the style of the filenames and subjects suggest either different senders or different versions of the same software.

Folk wisdom says that high-volume stock spam is the work of two Russian spam gangs, known as Zhelatin and Warezov from the assigned names of the malware they use. The two are rivals, and have even engaged in internecine warfare. A little over a month ago, Zhelatin apparently started a major push to recruit new zombies, using a new generation of their Storm Worm malware. I haven't seen any analyses pointing to Zhelatin as the source of the PRTH.PK spams yet, but there's obviously grounds for speculating that they successfully built their botnet and that this is the result. If that's the case, the other stream of PDF spam could originate from a Warezov botnet, or it might be from an earlier generation Zhelatin botnet. The big security vendors, who look at this stuff in greater detail than we do, will probably be able to tell us sooner or later.

It does seem that the PRTH.PK share price is responding, which suggests that the PDF spam is getting through to the required number of naive idiots and that the spammers will shortly be dumping their holding and walking away with their money.

We've previously talked about the effectiveness of PDF spam and other new attachment types. Businesses in particular are reluctant to filter PDFs that could contain important corporate documents. However, these messages should still be filterable. The spammers have protected the PDFs to prevent text extraction, but this kind of protection is really little more than a suggestion. Compliant PDF clients can decode and display the contents without the need for a password; they just aren't supposed to let the user do anything with the text, such as copy it or extract it automatically. But it's up to the application whether it chooses to honor that setting or not, and it's easy enough to build PDF readers that don't. Various vendors are already claiming to be able to block PDF spam reliably, which may mean that they've simply compiled their own PDF tools using open-source libraries and built them into the filtering chain, or they're simply filtering on other message characteristics.

Gigantic floods like this one make MTAs and security systems work harder, and some spam will get through while their developers and administrators play catch-up. It remains to be seen whether the window of opportunity that follows the introduction of a new spam technique is large enough to make it worth the spammer's time.