PDF spam not a threat: Adobe

PDF spam is more a nuisance than a security risk, according to Adobe, which claims there is "no hard evidence" where the junk e-mail has become a serious issue.

PDF spam is more a nuisance than a security risk, according to Adobe, which claims there is "no hard evidence" where the junk e-mail has become a serious issue.

Responding to a query on whether PDF spam can embed malicious software, Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday: "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump-and-dump" scam which reportedly caused a huge spike in spam levels, as well as the share price of the company highlighted in the PDF spam campaign.

According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk.

"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."

Nonetheless, Lee added, the onus is on users to protect themselves. "[We] recommend that users exercise scepticism and caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links," he said.

In Symantec's latest report, released earlier this week, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between two and eight percent of all spam in July.

Ascertaining authenticity
One way a valid PDF sender can ensure that the recipient knows the file is authentic, is to use a certified document digital signature, said Lee.

The security engineer noted that the digital signature, when combined with Adobe Acrobat and Reader, will "provide additional validation of the author and content".

Lee said that, to ensure the security of the PDF document, the company has a Dynamic Link Library (DLL) file called PDF IFilter, which "enables the creation of software that analyses PDF files".

The PDF IFilter is used by security vendors, as well as search-engine companies, to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.

Adobe said it is working with spam-filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF IFilter.

Details on potential vulnerabilities and their solutions are available on Adobe's Web site, and all documented security vulnerabilities and their solutions are distributed through the Adobe security-notification service.