How We Stop Email Malware – Part 2

email malware

This is the second part of the How We Stop Email Malware article.

PDF Files

PDF files have been around since 1993 and their successful exploitation in delivering malware started as far back as 2001. Nowadays used to deliver invoices, tax payments and pretty much every kind of document, PDF files are one of the most appealing document format for cyber-criminals.

Mostly embedding malicious scripts that leverage critical vulnerabilities in PDF reader applications, especially buffer overflow vulnerabilities, PDF files are used at large in spam and phishing emails. Another way to infect victims would be to attach an executable file and control the message output by the Reader application, ultimately using social engineering to persuade the victim to open and run the executable.

Now the issue with PDF files resides in the fact that rich content implies embedding dynamic elements such as JavaScript, ActionScript, Dynamic Action Triggers or Retrieve “Live” Data.

This paves the way for hackers to attach scripts to PDF files, especially when the script leverages reported and unpatched vulnerabilities or zero-day flaws. A good example can be found back in 2001 when Peachy Worm used PDF embedded malicious scripts and other dynamic features to deploy malicious payloads and steal credentials. The only things that changed over the years, are the payloads and how they leverage vulnerabilities, as the method of embedding scripts in PDF files remains almost the same.

The modus operandi is similar to the malicious macros. Cyber-criminals embed the malicious script into the PDF file, that automatically runs when the user opens it, delivering the already-attached payload or just downloading it covertly in the background.

Archived Files – ZIP, RAR, TAR, GZIP

In an attempt to trick security solutions, malicious actors have been using archived malicious applications as a cloak from security scanners. Malware obfuscation is basically a technique to make binary code or textual data unreadable or just a bit harder to understand. To add another layer, scammers and phishers use password-protected archives to prevent the malicious applications from being scanned. To gain access to the password-protected archive, users are prompted to click on certain links and be redirected to phishing websites or just use the password presented in the email’s body.

How does SpamExperts stop all these?

As stated in the beginning, we bundle more filters and techniques than any traditional email security solution. For all of the above examples and executable files, we have proprietary signatures, but also bundle third-party antivirus scanners. Our filters block attachments based on filename, extensions, attachments with scripts embedded, by using our scanning technologies. We also scan URLs in the email’s body, as cyber-criminals may link the malicious payload rather than attaching it.

Archived executable files, regardless of their format (zip, rar, tar, gzip, etc), can be automatically blocked and our technologies scan into multiple layers deep. This means that we are able to scan an archive within an archive within an archive, for example. We also use heuristic checks on top of signatures.

Most importantly, we proactively detect spam and phishing emails. Our edge is that not only we block the message based on the attachment, but also based on other anti-spam filters that check its sender, IP address and so on.

This means that we immediately block the spam/phishing message itself, thus giving us the possibility compared to other security solutions to proactively protect customers. Our plethora of filters is actively ensuring email security for billions of email addresses, in a joint effort with our proprietary large intelligence database.

If you’ve found this article helpful, drop us a line in the comment section or spread the word on social media! Until next week, stay free of spam, phishing, viruses and malware!

2 thoughts on “How We Stop Email Malware – Part 2

  1. I just became aware of SpamExperts. I find it to be very useful and wish it had been available a long time ago.

    I have a problem that I hope your can help me with regarding sender blacklisting. I have tried to block all email from .pro, .top, and many other extensions which seem to be magnets for spam generation these days. I am noticing that at least in the case of .pro, some spam is not being blocked. I am using *.pro to block all email from it. Just now I received some spam from, which should have been prevented.

    Can you please advise?


    PS: Any thoughts to adding functionality to block whole countries? I would like to see a choice as to which countries mail could be allowed from. I currently do business only in the states and have no need for it from anywhere else.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s