As previously reported, stock spammers are now increasingly using attached PDFs to carry the payload of their messages. Recently, PDFs even seem to have replaced plaintext stock spam. Out of curiosity, I graphed the trends since the start of the year.

The count of messages represents all stock spam messages received at all our spam traps, so it's probably unwise to draw any conclusions about volume from this — 100 messages might represent spammers hitting 1 address 100 times, or 10 addresses 10 times, and so on. Stock spammers seem particularly 'greedy', so many of the addresses we're logging are actually 'invented' addresses that spammers have created themselves (spammers invent addresses at other people's domains to put in the 'From:' lines of messages they send; by a curious quirk, they then seem to discover these non-existent addresses and start spamming them). However, it does show very clearly how PDF has almost completely replaced GIF as the format of choice.

JPEG and GIF spam are still in use, but they're primarily used for pills, so-called 'OEM' software, and, curiously, escort agencies (which may be simple scams rather than actual escort agencies). This may be because spammers still have spare capacity in the form of zombies loaded with GIF-generating ratware, or it may be a question of targeting. Spammers may believe that corporate IT departments are more likely to pass PDF attachments and that potential buyers of stock spam are more often found in offices than homes, but that the market for pills, warez and sex remains home-based and more likely to respond to an embedded image than an attached PDF.