You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Cisar <ml...@starmania.net> on 2007/08/10 17:10:26 UTC
fdf spam
Has anyone else been seeing the empty-body "PDF" spam, but with a .fdf file
extension. Had a whole pile in my inbox here this morning.
Cheers,
>>>>> Mike <<<<<
Re: fdf spam
Posted by MATSUDA Yoh-ichi <ki...@yahoo.co.jp>.
Hi, all.
From: "Mike Cisar" <ml...@starmania.net>
Subject: fdf spam
Date: Fri, 10 Aug 2007 09:10:26 -0600
> Has anyone else been seeing the empty-body "PDF" spam, but with a .fdf file
> extension. Had a whole pile in my inbox here this morning.
>
> Cheers,
> >>>>> Mike <<<<<
Here are 2 rules for detecting pdf spams.
full NULLTXTPDF /(\n(?:-{12,}0\d{22,}|--={19,}_\d{6,}==_)\n)Content-Type: text\/plain; charset=\"{0,1}[\w-]{5,}\"{0,1}; format=flowed(?:\nContent-Transfer-Encoding: 7bit){0,1}\n{2,}\1Content-Type: application\/(?:pdf|octet-stream);(?:\n| name=\")/
full HTMLPDF /(-{6}=_NextPart_000_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\nContent-Type: multipart\/alternative;\n.boundary=\"(----=_NextPart_001_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\"\n\n\n--\2\nContent-Type: text\/plain;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding: quoted-printable\n\n\n--\2\nContent-Type: text\/html;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding: quoted-printable\n\n(?:.+\n){5}<STYLE><\/STYLE>\n.+\n.+\n<DIV><FONT face=3DArial size=3D2><\/FONT> <\/DIV><\/BODY><\/HTML>\n\n--\2--\n\n\1\nContent-Type: application\/(?:pdf|octet-stream);/
Enjoy. ;-)
--
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: fdf spam
Posted by Gene Heskett <ge...@verizon.net>.
On Friday 10 August 2007, Dallas Engelken wrote:
>David B Funk wrote:
>> On Sat, 11 Aug 2007, wolfgang wrote:
>>> In an older episode (Friday, 10. August 2007), Mike Cisar wrote:
>>>> Has anyone else been seeing the empty-body "PDF" spam, but with a
>>>> .fdf file extension. Had a whole pile in my inbox here this morning.
>>>
>>> Thousands of them went through our mail gateways at work. A typo in some
>>> bot?
>>
>> No, merely the next episode in the never-ending spam-wars saga.
>>
>> A ".fdf" file is yet another Adobe file type and double-clicking on one
>> (in a Windows box) will launch Acrobat-reader and display its contents.
>> However anti-spam weapons such as PDFinfo are explicitly coded to look
>> for ".pdf" files, thus ".fdf" is given a pass.
>> This shows the cleverness behind (at least some of) the spammers.
>>
>> A quick edit will update PDFinfo to check ".fdf" files too.
>
>that was done this morning if you want to grab a new version...
>http://www.rulesemporium.com/plugins/PDFInfo.pm
I think what he is asking, and I sure am, is how do you get sa-update to pick
up these new modules. I have PDFInfo.pm installed, but an sa-update -D
[root@coyote Dailys]# sa-update -D
[31662] dbg: logger: adding facilities: all
[31662] dbg: logger: logging level is DBG
[31662] dbg: generic: SpamAssassin version 3.2.3
[31662] dbg: config: score set 0 chosen.
[31662] dbg: dns: is Net::DNS::Resolver available? yes
[31662] dbg: dns: Net::DNS version: 0.60
[31662] dbg: generic: sa-update version svn540384
[31662] dbg: generic: using update directory: /var/lib/spamassassin/3.002003
[31662] dbg: diag: perl platform: 5.008008 linux
[31662] dbg: diag: module installed: Digest::SHA1, version 2.11
[31662] dbg: diag: module installed: HTML::Parser, version 3.55
[31662] dbg: diag: module installed: Net::DNS, version 0.60
[31662] dbg: diag: module installed: MIME::Base64, version 3.07
[31662] dbg: diag: module installed: DB_File, version 1.814
[31662] dbg: diag: module installed: Net::SMTP, version 2.29
[31662] dbg: diag: module installed: Mail::SPF, version v2.004
[31662] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[31662] dbg: diag: module installed: IP::Country::Fast, version 604.001
[31662] dbg: diag: module installed: Razor2::Client::Agent, version 2.82
[31662] dbg: diag: module installed: Net::Ident, version 1.20
[31662] dbg: diag: module installed: IO::Socket::INET6, version 2.51
[31662] dbg: diag: module installed: IO::Socket::SSL, version 1.01
[31662] dbg: diag: module installed: Compress::Zlib, version 1.42
[31662] dbg: diag: module installed: Time::HiRes, version 1.86
[31662] dbg: diag: module installed: Mail::DomainKeys, version 1.0
[31662] dbg: diag: module installed: Mail::DKIM, version 0.26
[31662] dbg: diag: module installed: DBI, version 1.52
[31662] dbg: diag: module installed: Getopt::Long, version 2.35
[31662] dbg: diag: module installed: LWP::UserAgent, version 2.033
[31662] dbg: diag: module installed: HTTP::Date, version 1.47
[31662] dbg: diag: module installed: Archive::Tar, version 1.30
[31662] dbg: diag: module installed: IO::Zlib, version 1.04
[31662] dbg: diag: module installed: Encode::Detect, version 1.00
[31662] dbg: gpg: Searching for 'gpg'
[31662] dbg: util: current PATH
is: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[31662] dbg: util: executable for gpg was found at /usr/bin/gpg
[31662] dbg: gpg: found /usr/bin/gpg
[31662] dbg: gpg: release trusted key id list:
[...]
[31662] dbg: channel: attempting channel updates.spamassassin.org
[31662] dbg: channel: update
directory /var/lib/spamassassin/3.002003/updates_spamassassin_org
[31662] dbg: channel: channel cf
file /var/lib/spamassassin/3.002003/updates_spamassassin_org.cf
[31662] dbg: channel: channel pre
file /var/lib/spamassassin/3.002003/updates_spamassassin_org.pre
[31662] dbg: channel: metadata version = 556472
[31662] dbg: dns: 3.2.3.updates.spamassassin.org => 556472, parsed as 556472
[31662] dbg: channel: current version is 556472, new version is 556472,
skipping channel
[31662] dbg: diag: updates complete, exiting with code 1
===========
session ignores that fact. A config error someplace? Smart did update some
perl stuffs today but that wasn't in the list. My pdfinfo.cf, and my
PDFInfo.pm are both dated July 19, all 3 copies of each, and I too am
beginning to drown in this crap.
So how DO we get sa-update to actually update this stuff?
Thanks.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
A university is what a college becomes when the faculty loses interest
in students.
-- John Ciardi
Re: fdf spam
Posted by Dave Pooser <da...@pooserville.com>.
> that was done this morning if you want to grab a new version...
> http://www.rulesemporium.com/plugins/PDFInfo.pm
Could somebody PLEASE make sure that when a new version of PDFInfo is posted
the website shows the updated version number? The page still says it's
version 0.7 last modified 2007-07-27, and you have to actually read the .pm
to see that it's now at 0.8.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"NASCAR is a Yankee conspiracy to keep you all placated
so the South won't rise again." --QuestionableContent.net
Re: fdf spam
Posted by Dallas Engelken <da...@uribl.com>.
David B Funk wrote:
> On Sat, 11 Aug 2007, wolfgang wrote:
>
>
>> In an older episode (Friday, 10. August 2007), Mike Cisar wrote:
>>
>>> Has anyone else been seeing the empty-body "PDF" spam, but with a
>>> .fdf file extension. Had a whole pile in my inbox here this morning.
>>>
>> Thousands of them went through our mail gateways at work. A typo in some
>> bot?
>>
>
> No, merely the next episode in the never-ending spam-wars saga.
>
> A ".fdf" file is yet another Adobe file type and double-clicking on one
> (in a Windows box) will launch Acrobat-reader and display its contents.
> However anti-spam weapons such as PDFinfo are explicitly coded to look
> for ".pdf" files, thus ".fdf" is given a pass.
> This shows the cleverness behind (at least some of) the spammers.
>
> A quick edit will update PDFinfo to check ".fdf" files too.
>
>
that was done this morning if you want to grab a new version...
http://www.rulesemporium.com/plugins/PDFInfo.pm
--
Dallas Engelken
dallase@uribl.com
http://uribl.com
Re: fdf spam
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Sat, 11 Aug 2007, wolfgang wrote:
> In an older episode (Friday, 10. August 2007), Mike Cisar wrote:
> > Has anyone else been seeing the empty-body "PDF" spam, but with a
> > .fdf file extension. Had a whole pile in my inbox here this morning.
>
> Thousands of them went through our mail gateways at work. A typo in some
> bot?
No, merely the next episode in the never-ending spam-wars saga.
A ".fdf" file is yet another Adobe file type and double-clicking on one
(in a Windows box) will launch Acrobat-reader and display its contents.
However anti-spam weapons such as PDFinfo are explicitly coded to look
for ".pdf" files, thus ".fdf" is given a pass.
This shows the cleverness behind (at least some of) the spammers.
A quick edit will update PDFinfo to check ".fdf" files too.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: fdf spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Friday, 10. August 2007), Mike Cisar wrote:
> Has anyone else been seeing the empty-body "PDF" spam, but with a
> .fdf file extension. Had a whole pile in my inbox here this morning.
Thousands of them went through our mail gateways at work. A typo in some
bot?
Regards,
wolfgang
--
Bad typists of the world, UNTIE!