You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "nws.charlie" <me...@argosyconsole.com> on 2007/07/18 15:52:40 UTC
Catching .pdf Spam
Like many of you, we have been receiving a lot of spam with .pdf
attachments. Perhaps I am missing a rule set, but almost none seemed to be
getting a high enough score to be marked spam. (We mark a score of 3.00 or
more as spam). Can anyone tell me if there is already a ruleset that I
should be using?
I have noticed that 98% of the spam with pdf attachments is being sent
from Thunderbird. I wrote a few rules and added them to my local.cf. Here is
the main one that is working. I am catching most of the spam with this. Does
anyone see anything negative about a rule like this?
header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i
full __LOCAL_HAS_PDF /\b\S*\.pdf\b/i
meta LOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD &&
__LOCAL_HAS_PDF)
score LOCAL_PDF_VIA_THUNDERBIRD 6.0
Thanks All !
MW
--
View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11669157
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Catching .pdf Spam
Posted by Kelson <ke...@speed.net>.
nws.charlie wrote:
> I am catching most of the spam with this. Does
> anyone see anything negative about a rule like this?
>
> header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i
> full __LOCAL_HAS_PDF /\b\S*\.pdf\b/i
> meta LOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD &&
> __LOCAL_HAS_PDF)
> score LOCAL_PDF_VIA_THUNDERBIRD 6.0
Well, this message will probably go into your spam folder, since I'm
using Thunderbird and the phrase ".pdf" appears in the message.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Catching .pdf Spam
Posted by "nws.charlie" <me...@argosyconsole.com>.
Theo Van Dinter-2 wrote:
>
> On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote:
>> automatically twice a day. The updates are happening as scheduled, and
>> being
>> placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems
>> to
>> be ignoring the rules there.
>
> Why do you say that? Does "spamassassin --lint -D" show the files being
> used?
>
I say spamassassin is ignoring the rules simply because I was not getting
rule hits on any of the rules in 80_additional.cf when it was only in
var/lib/spamassassin. As soon as I placed a copy in etc/mail/spamassassin
the rules started triggering. I verified this several ways. Most
specifically, when I placed a copy in etc/mail/spamassassin, the rule
TVD_PDF_FINGER01 began triggering for the same messages as my custom rule.
When I remove 80_additional.cf from etc/mail/spamassassin, that rule no
longer triggers, while my custom rule does. 80_additional.cf is still in
var/lib/spamassassin.
>Also, if you're really using 3.1.1 you should think about upgrading.
Yes, we are... I'm looking into that too. Meanwhile, that shouldn't prevent
these rules from working, right?
Thanks again.
--
View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11675276
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Catching .pdf Spam
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote:
> automatically twice a day. The updates are happening as scheduled, and being
> placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to
> be ignoring the rules there.
Why do you say that? Does "spamassassin --lint -D" show the files being used?
Also, if you're really using 3.1.1 you should think about upgrading.
3.1.9 has been out for a while, and 3.1.10 should be in the next week
or so.
--
Randomly Selected Tagline:
"I decry the current tendency to seek patents on algorithms. There are
better ways to earn a living than to prevent other people from making use of
one's contributions to computer science." - Donald E. Knuth
Re: Catching .pdf Spam
Posted by "nws.charlie" <me...@argosyconsole.com>.
I took over this project (dealing w/spam) with very little instruction or
experience, so My Apologies if my questions are ignorant...
I had previously run sa-update manually, and we also have it scheduled
automatically twice a day. The updates are happening as scheduled, and being
placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to
be ignoring the rules there.
I manually copied 80_additional.cf to etc/mail/spamassassin, and now I am
getting new rule hits, including the TVD_PDF_FINGER01 rule.
According to what I have read, rules should work when they are in
var/lib/spamassassin/.. Do I misunderstand, or do we have something
configured wrong?
Thanks for your replies!
MW
Theo Van Dinter-2 wrote:
>
>
> Run sa-update, there's a rule already in there.
>
>
--
View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11674168
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Catching .pdf Spam
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jul 18, 2007 at 06:52:40AM -0700, nws.charlie wrote:
> more as spam). Can anyone tell me if there is already a ruleset that I
> should be using?
Run sa-update, there's a rule already in there.
--
Randomly Selected Tagline:
Human female: "All in all. This is one day that mitten the kitten will not
soon forget."
Morbo: "Kittens give Morbo gas. In later news the city of New New
York is doomed. Blame rests with known human professor Hubert
Farnsworth and his tiny inferior brain."
Re: Catching .pdf Spam
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 18 Jul 2007, nws.charlie wrote:
> I have noticed that 98% of the spam with pdf attachments is
> being sent from Thunderbird. I wrote a few rules and added them to
> my local.cf. Here is the main one that is working. I am catching
> most of the spam with this. Does anyone see anything negative
> about a rule like this?
>
> header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i
> full __LOCAL_HAS_PDF /\b\S*\.pdf\b/i
> meta LOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD &&
> __LOCAL_HAS_PDF)
> score LOCAL_PDF_VIA_THUNDERBIRD 6.0
A real person using Thunderbird cannot send you a pdf, or possibly
even talk about a .pdf file with you...
It has been observed that the user-agent header in these spams
consistently claims to be a specific version of thunderbird. I have
also noticed the same behavior in the past. You might want to add that
to your rule to make it a little more focused.
Also, having one "poison pill" rule is generally a bad idea. There are
subject line patterns in the PDF spams that are fairly consistent and
not similar to what most human correspondents would use.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
6 days until The 38th anniversary of Apollo 11 landing on the Moon