I whipped this up mid afternoon, and it's catching them for us. An earlier version this morning didn't catch the entire campaign.
------------------------------------- MINWEIGHTTOFAIL 23 SKIPIFWEIGHT 250 REVDNS END ENDSWITH .smarsh.com HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138 BODY 1 CONTAINS <META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR> BODY 1 CONTAINS <META content="MSHTML 6.00.2900.3132" name=GENERATOR> BODY 1 CONTAINS <STYLE></STYLE> BODY 1 CONTAINS <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> BODY 1 CONTAINS <DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML> BODY 10 CONTAINS Content-Type: application/pdf; ------------------------------------- My delete weight is 250, so I skip if it has already reached that weight. Smarsh sends one of our customers a lot of PDFs, so I made sure their emails wouldn't trigger this. There are liable to be FPs, so I would weight this enough to hold, but not to delete. Darin. ----- Original Message ----- From: Todd Richards To: [email protected] Sent: Tuesday, August 07, 2007 9:39 PM Subject: RE: [Declude.JunkMail] New PDF worm? I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 8:02 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? >From reports today looks like the filter needs to be updated. Can you send me >some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: [email protected] Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: [email protected] Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
