You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by WebTent <li...@webtent.net> on 2007/07/22 00:52:14 UTC

New PDF?

I have a few PDF's getting through now after doing pretty good, the
latest 0.4 pdfinfo + sa 3.1.7 + sare rules + sa-update is not scoring
enough on these:

http://esmtp.webtent.net/mail1.txt
http://esmtp.webtent.net/mail2.txt

Do I need to tweak my rules scores to catch or is someone else able to
block these otherwise? All of these seem to hit the same two rules,
would it be OK to test for only those two rules and block or raise their
score, or would that hit too much ham?

 0.6 GMD_PDF_ENCRYPTED      BODY: Attached PDF is encrypted
 1.0 TVD_PDF_FINGER01       Mail matches standard pdf spam fingerprint

-- 
Robert

Re: New PDF?

Posted by Theo Van Dinter <fe...@apache.org>.

On Sat, Jul 21, 2007 at 06:52:14PM -0400, WebTent wrote:
> Do I need to tweak my rules scores to catch or is someone else able to
> block these otherwise? All of these seem to hit the same two rules,
> would it be OK to test for only those two rules and block or raise their
> score, or would that hit too much ham?
> 
>  0.6 GMD_PDF_ENCRYPTED      BODY: Attached PDF is encrypted
>  1.0 TVD_PDF_FINGER01       Mail matches standard pdf spam fingerprint

I don't know what the first rule is so have no information about its hit
rates.  The second one hits 0 ham in the SA nightly test runs.  If you aren't
likely to receive legit mails in a similar format, feel free to up that score.

-- 
Randomly Selected Tagline:
"I left it unlocked overnight, and it was finally stolen. The insurance
 check paid for a textbook." - Unknown about the Renault LeCar

Re: New PDF?

Posted by Dave Pooser <da...@pooserville.com>.

> Current version is v0.6.   And sigs for those were added last
> Thursday...  

The web page at <http://www.rulesemporium.com/plugins.htm> still identifies
it as 0.4 with a mod date 0f July 16, FYI. The linked file is 0.6, though.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Re: New PDF?

Posted by Dallas Engelken <da...@uribl.com>.

WebTent wrote:
> I have a few PDF's getting through now after doing pretty good, the
> latest 0.4 pdfinfo + sa 3.1.7 + sare rules + sa-update is not scoring
> enough on these:
>
>   

Current version is v0.6.   And sigs for those were added last 
Thursday...   

> http://esmtp.webtent.net/mail1.txt
>   

        *  0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
        *  2.0 GMD_PDF_FUZZY2_T11 BODY: Fuzzy tags Match
        *      5A4CB7600371063164BB7AFA6EDE7FE9
        *  0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body
        *  3.0 GMD_PDF_STOX_M4 PDF Stox spam

> http://esmtp.webtent.net/mail2.txt
>
>   
        *  2.0 GMD_PDF_FUZZY2_T9 BODY: Fuzzy tags Match
        *      875C8F0810E6524EF0C3A7C4221A4C28
        *  0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
        *  0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body
        *  3.0 GMD_PDF_STOX_M4 PDF Stox spam

-- 
Dallas Engelken
dallase@uribl.com
http://uribl.com