RE: [Declude.JunkMail] New PDF worm?

[Colbeck, Andrew]

I'll suggest an alternative to this.
 
If you're using the CB-ATTACH filter and you want to keep it without
giving spammers too much entry, use an END filter with your blacklist
tests.  If the sender's IP address is in the blacklist, the CB-ATTACH
test will stop.
 
This will still counterweight PDF spammers who are not in a blacklist
yet, but perhaps that is an acceptable balance to you.
 
TESTSFAILED END CONTAINS XBL
 
TESTSFAILED END CONTAINS SPAMCOP
 
BODY     -10   PCRE      (?i:Content-Type: application/pdf;)
 
 
etc. ...
 
 
Andrew.
 
 


________________________________

        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of David Barker
        Sent: Wednesday, June 27, 2007 8:24 AM
        To: declude.junkmail@declude.com
        Subject: RE: [Declude.JunkMail] New PDF worm?



        Yes I am seeing the same thing although when I run the pdf
through a virus check it comes up clean. I opened one of the files and
it was just stock spam. If anyone is running the

        CB-ATTACH.txt filter I would suggest commenting out this line
for now.

         

        #BODY  -10                          PCRE      (?i:Content-Type:
application/pdf;)

         

        Or if you are using an the older filters

         

        #BODY  -10                          CONTAINS
Content-Type: application/pdf;

         

        See also http://blogs.zdnet.com/security/?p=325

         

        David Barker
        Director of Product Management
        Your Email security is our business
        978.499.2933 office
        978.988.1311 fax
        [EMAIL PROTECTED]

         

         

        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of SJ.Stanaitis
        Sent: Wednesday, June 27, 2007 11:17 AM
        To: declude.junkmail@declude.com
        Subject: [Declude.JunkMail] New PDF worm?

         

        I'm getting gobs of PDF's snagged in my antispam filter, they're
not triggering any AV yet, anyone else seeing this?

         

        SJ.Stanaitis - Network Administrator

        Decorative Product Source, Inc.


        ---
        This E-mail came from the Declude.JunkMail mailing list. To
        unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
        type "unsubscribe Declude.JunkMail". The archives can be found
        at http://www.mail-archive.com. 


        ---
        This E-mail came from the Declude.JunkMail mailing list. To
        unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
        type "unsubscribe Declude.JunkMail". The archives can be found
        at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.