Hello Lately we have come across a new trick that is being used to try to infect email recipients with trojans.
A simple email is being sent, looking like it's comming from DHL or similar, about the tracking code for a parcel. There is one PDF attachement. The attachement has an official looking letter header from DHL and contains instructions how to track the parcel via DHL website. There is a clickable link in that PDF that points to the tracking service of the DHL Website. But... The real link behind that link points to a website, from which a drive- by infection is being tried and also offers a ZIP file containing an EXE file with a trojan to download. By not sending the exe within a zip (which is easily blocked in the bad_filenames part of MIMEDefang) and not using the Link in a HTML email, the attacker is getting his emails past our MIMEDefang / SpamAssassin / Clamd installation. So my idea to catch such emails would be: => Extract text from PDF and pass it to spamassassin to match blacklisted URI's within the PDF. => Is there a way to check if the displayed URL matches the Link URL behind it within a PDF File? Has anyone already found such a solution? Mit freundlichen GrĂ¼ssen Benoit Panizzon -- I m p r o W a r e A G - ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang