You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Benoît Panizzon <be...@imp.ch> on 2021/06/04 06:19:53 UTC
Plugin to extract Links from PDF
Hi Gang
In the last couple of weeks, I have seen a lot of spam mails containing
just one single PDF, hardly any other text. That PDF again contains a
clickable picture leading to some phishing site or similar.
Of course the URL in the PDF is not being checked against URI
Blacklists.
Also creating a rule to match PDF attachment and little text would
create way too many false positives, as sending 'PDF Emails' seems to
be something quite common.
So I wonder if someone already came up with a AS plugin to extract
links from a PDF and check them against URI blacklists.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: Plugin to extract Links from PDF
Posted by Benny Pedersen <me...@junc.eu>.
On 2021-06-07 13:58, Benoît Panizzon wrote:
> So extracing the link URI from a PDF and checking this against URI
> blacklists would probably be more clever.
its not url, its if pdf excute javascripts or contains macros that
autoload malware, so url is irrelevant
google yara, and foxhole
i use all foxhole, no surprise anymore
Re: Plugin to extract Links from PDF
Posted by Benoît Panizzon <be...@imp.ch>.
Hi Rupert
> A clickable picture should trigger a web client only if the pdf
> contains a script for this action, which you can detect using clamav.
Interesting, we use clamav. Is this some special setting? A quick
google search did not reveal how to do this.
But I suspect, PDF containing clickable elements are nothing suspicious
per se and just blocking them would cause a lot of false positives.
So extracing the link URI from a PDF and checking this against URI
blacklists would probably be more clever.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Re: Plugin to extract Links from PDF
Posted by Rupert Gallagher <ru...@protonmail.com>.
A clickable picture should trigger a web client only if the pdf contains a script for this action, which you can detect using clamav.
-------- Original Message --------
On Jun 4, 2021, 08:19, Benoît Panizzon < benoit.panizzon@imp.ch> wrote:
Hi Gang
In the last couple of weeks, I have seen a lot of spam mails containing
just one single PDF, hardly any other text. That PDF again contains a
clickable picture leading to some phishing site or similar.
Of course the URL in the PDF is not being checked against URI
Blacklists.
Also creating a rule to match PDF attachment and little text would
create way too many false positives, as sending 'PDF Emails' seems to
be something quite common.
So I wonder if someone already came up with a AS plugin to extract
links from a PDF and check them against URI blacklists.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________