You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Fitzpatrick <li...@webtent.net> on 2007/07/13 18:28:39 UTC
New spam getting by PDFInfo?
Just verified a couple of PDF attachments getting through with our
PDFInfo rules. Can someone test these to see if my PDF rules are working
or if you're able to block? I believe the rules are working as the
latter message is hitting one, just not enough to block. I tried my
access to the PDFInfo link sent to me by the webmaster to see if there
was an update, but it is not working now :(
http://esmtp.webtent.net/clean-V07xSl9h-SZs
http://esmtp.webtent.net/clean-qiPluAlkrxOa
Content analysis details: (4.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.2 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
0.2 GMD_PDF_HORIZ BODY: Contains pdf 120-220 (high) x 350-780 (wide)
1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
--
Robert
Re: New spam getting by PDFInfo?
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Jul 13, 2007 at 12:28:39PM -0400, Robert Fitzpatrick wrote:
> Just verified a couple of PDF attachments getting through with our
> PDFInfo rules. Can someone test these to see if my PDF rules are working
> or if you're able to block?
I don't use PDFInfo, but both of these messages caused TVD_PDF_FINGER01
to hit. fwiw.
--
Randomly Selected Tagline:
Death to all fanatics!
Re: New spam getting by PDFInfo?
Posted by Dallas Engelken <da...@uribl.com>.
McDonald, Dan wrote:
> On Fri, 2007-07-13 at 12:28 -0400, Robert Fitzpatrick wrote:
>
>> Just verified a couple of PDF attachments getting through with our
>> PDFInfo rules. Can someone test these to see if my PDF rules are working
>> or if you're able to block? I believe the rules are working as the
>> latter message is hitting one, just not enough to block. I tried my
>> access to the PDFInfo link sent to me by the webmaster to see if there
>> was an update, but it is not working now :(
>>
>
> running pdfinfo 0.3, I see the first one being analyzed, but not stopped
> by the pdfinfo rule:
>
>
there is a more current version than 0.3 that probably hits these. when
i tried to access the urls, they were already gone, but i'd guess they
were the ones that used 'pdf crypt'
--
Dallas Engelken
dallase@uribl.com
http://uribl.com
Re: New spam getting by PDFInfo?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2007-07-13 at 12:28 -0400, Robert Fitzpatrick wrote:
> Just verified a couple of PDF attachments getting through with our
> PDFInfo rules. Can someone test these to see if my PDF rules are working
> or if you're able to block? I believe the rules are working as the
> latter message is hitting one, just not enough to block. I tried my
> access to the PDFInfo link sent to me by the webmaster to see if there
> was an update, but it is not working now :(
running pdfinfo 0.3, I see the first one being analyzed, but not stopped
by the pdfinfo rule:
[22374] dbg: pdfinfo: Filename=Unpaid-ysqupuubxeq.pdf Title=untitled
Author=unknown Producer=unknown Created=0 Modified=0
[22374] dbg: pdfinfo: MD5 results for Unpaid-ysqupuubxeq.pdf -
md5=F923904B32BA5534E77C65A2651661D4
fuzzy1=0C751FC7A604AB836B4A10B63BB1449D
fuzzy2=1AF87ABAF88F3C2A80577BE2E3A5886E
[22374] dbg: pdfinfo: Found a PDF file - Unpaid-ysqupuubxeq.pdf
...
X-Spam-Status: No, score=3.4 required=5.0 tests=BOTNET_CLIENT,
BOTNET_IPINHOSTNAME,BOTNET_OTHER,DKIM_POLICY_SIGNSOME,RELAY_US,
TVD_SPACE_RATIO autolearn=disabled version=3.2.1
Botnet probably would have killed this off on my system, but since my
botnet is tied to p0f and I don't have any fingerprint data it won't hit
those rules...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com