Adobe: No threat from PDF spam

There is no hard evidence that PDF spam exposes users to any security risks, claims the company

PDF spam, junk email with its message attached as a PDF file to get past spam filters, poses no security risk, says Adobe.

Responding to a query on whether PDF spam can embed malicious software, Erick Lee, a security engineer at Adobe, wrote in an email on Wednesday: "PDF is no more able to embed malware on an unsuspecting user's system than any other typical email attachment."

Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump-and-dump" scam which reportedly caused a huge spike in spam levels, as well as the share price of the company highlighted in the PDF spam campaign.

According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk.

"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."

Nonetheless, Lee added, the onus is on users to protect themselves. "[We] recommend that users exercise scepticism and caution when receiving unsolicited email communications requesting user action, such as opening attachments or clicking web links," he said.

In Symantec's latest report, released on Monday, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between two and eight percent of all spam in July.

Ascertaining authenticity
One way a valid PDF sender can ensure that the recipient knows the file is authentic, is to use a certified document digital signature, said Lee.

The security engineer noted that the digital signature, when combined with Adobe Acrobat and Reader, will "provide additional validation of the author and content".

Lee said that, to ensure the security of the PDF document, the company has a Dynamic Link Library (DLL) file called PDF IFilter, which "enables the creation of software that analyses PDF files".

The PDF IFilter is used by security vendors, as well as search-engine companies, to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.

Adobe said it is working with spam-filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF IFilter.

Details on potential vulnerabilities and their solutions are available on Adobe's website, and all documented security vulnerabilities and their solutions are distributed through the Adobe security-notification service.