You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "John D. Hardin" <jh...@impsec.org> on 2006/08/11 23:50:52 UTC
Word doc spam
One of those "approved invoice" Word doc spams just slipped by Postini
into my work mailbox.
Thinking Antiword, while lightweight compared to OOo, is still too
heavy a solution, I threw the .doc file at the strings command, and
got the following:
$ strings invoice.doc
bjbjqPqP
Back2School Software Blowout Sale!
Stop overpaying for software.
Buy OEM Software today, Download INSTANTLY &
HYPERLINK "http://temnieprogi.com"
Save Over 85%!
Microsoft Office 2003 Professional
w/Contact Manager
Windows XP Professional
Includes Service Pack 1
Adobe Photoshop CS2 v 9.0
#1 Rated Photo Editing software
Adobe Acrobat Professional v 7.0
Essential for Web Documents
Retail Price @ Staples: $549.95
Exclusive Sale Price: $69.95
Retail Price @ Staples: $249.95
Exclusive Sale Price: $49.95
Retail Price @ Staples: $599.95
Exclusive Sale Price: $69.95
Retail Price @ Staples: $449.95
Exclusive Sale Price: $69.95
HYPERLINK "http://temnieprogi.com"
Visit our Website and get yours today!
ph333
hRy:
ph333
urn:schemas-microsoft-com:office:smarttags
City
urn:schemas-microsoft-com:office:smarttags
place
SAVE YOUR BUSINESS
William Esther
Normal
William Esther
Microsoft Office Word
Phoenix Management Corporation
SAVE YOUR BUSINESS
Title
_PID_HLINKS
Microsoft Office Word Document
MSWordDoc
Word.Document.8
Phoenix Management Corporation
SAVE YOUR BUSINESS
Title
_PID_HLINKS
*plenty* of fodder. I'm thinking we don't need Antiword or (shudder)
OOo to peer into Word docs to do spam filtering. Just pull the strings
out and run the regular body rules over 'em.
Of course, this might not be robust in the face of simple tricks like
boldfacing every other word, font changes, etc., so Antiword might be
the lightest tool we can use and get reliable results.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The problem is when people look at Yahoo, slashdot, or groklaw and
jump from obvious and correct observations like "Oh my God, this
place is teeming with utter morons" to incorrect conclusions like
"there's nothing of value here". -- Al Petrofsky, in Y! SCOX
-----------------------------------------------------------------------
Re: Word doc spam
Posted by decoder <de...@own-hero.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John D. Hardin wrote:
> One of those "approved invoice" Word doc spams just slipped by Postini
> into my work mailbox.
>
> Thinking Antiword, while lightweight compared to OOo, is still too
> heavy a solution, I threw the .doc file at the strings command, and
> got the following:
>
> $ strings invoice.doc
> bjbjqPqP
> Back2School Software Blowout Sale!
> Stop overpaying for software.
> Buy OEM Software today, Download INSTANTLY &
> HYPERLINK "http://temnieprogi.com"
> Save Over 85%!
> Microsoft Office 2003 Professional
> w/Contact Manager
> Windows XP Professional
> Includes Service Pack 1
> Adobe Photoshop CS2 v 9.0
> #1 Rated Photo Editing software
> Adobe Acrobat Professional v 7.0
> Essential for Web Documents
> Retail Price @ Staples: $549.95
> Exclusive Sale Price: $69.95
> Retail Price @ Staples: $249.95
> Exclusive Sale Price: $49.95
> Retail Price @ Staples: $599.95
> Exclusive Sale Price: $69.95
> Retail Price @ Staples: $449.95
> Exclusive Sale Price: $69.95
> HYPERLINK "http://temnieprogi.com"
> Visit our Website and get yours today!
> ph333
> hRy:
> ph333
> urn:schemas-microsoft-com:office:smarttags
> City
> urn:schemas-microsoft-com:office:smarttags
> place
> SAVE YOUR BUSINESS
> William Esther
> Normal
> William Esther
> Microsoft Office Word
> Phoenix Management Corporation
> SAVE YOUR BUSINESS
> Title
> _PID_HLINKS
> Microsoft Office Word Document
> MSWordDoc
> Word.Document.8
> Phoenix Management Corporation
> SAVE YOUR BUSINESS
> Title
> _PID_HLINKS
>
> *plenty* of fodder. I'm thinking we don't need Antiword or (shudder)
> OOo to peer into Word docs to do spam filtering. Just pull the strings
> out and run the regular body rules over 'em.
>
> Of course, this might not be robust in the face of simple tricks like
> boldfacing every other word, font changes, etc., so Antiword might be
> the lightest tool we can use and get reliable results.
Sounds good, I also received one of these today... does a plugin exist
already which uses antiword somehow to filter these mails?
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE4JW6JQIKXnJyDxURAjbVAJ0Qjl1/tmskn73NUoem6hKQSHf1aACcDj5h
I8RyB+1+Sm0qzr1hFVC8zVY=
=gnAA
-----END PGP SIGNATURE-----