Re: [Declude.JunkMail] New PDF worm?
Any more revisions to this filter? Tuesday, August 7, 2007, 9:34:43 PM, David Barker [EMAIL PROTECTED] wrote: 1. Can you send the one that did not trigger? 2. If it did trigger the idea is to give the filter a base value ie. SPAM-PDF filter path\SPAM-PDF.txtx 8 0 From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfTodd Richards Sent:Tuesday, August 07, 2007 9:39 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom Sent:Tuesday, August 07, 2007 8:02 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? It didnt work. From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfTodd Richards Sent:Tuesday, August 07, 2007 6:39 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker Sent:Tuesday, August 07, 2007 6:23 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker Sent:Tuesday, August 07, 2007 6:45 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom Sent:Tuesday, August 07, 2007 5:25 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day Id appreciate it. Weve probably had 50 of them get through already today. Thanks, Dave From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker Sent:Tuesday, August 07, 2007 4:03 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom Sent:Tuesday, August 07, 2007 3:15 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? I installed the filter below and weve had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker Sent:Monday, July 02, 2007 12:35 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfKatie LaSalle-Lowery Sent:Monday, July 02, 2007 1:28 PM To:declude.junkmail@declude.com Subject:RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfSJ.Stanaitis Sent:Wednesday, June 27, 2007 9:17 AM To:declude.junkmail@declude.com Subject:[Declude.JunkMail] New PDF worm? Im getting gobs of PDFs snagged in my antispam filter, theyre not triggering any AV yet, anyone else seeing this? SJ.Stanaitis -Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at
RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
David - I sent you about 10 off-list. Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.MINWEIGHTTOFAIL 5 BODYEND NOTCONTAINS application/pdf; BODY5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) BODY5 PCRE ((?=attachments are handled./BODY/HTML).*Content-Type: application/pdf
RE: [Declude.JunkMail] New PDF worm?
Thanks. I'll give it a try. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 8:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail
Re: [Declude.JunkMail] New PDF worm?
I whipped this up mid afternoon, and it's catching them for us. An earlier version this morning didn't catch the entire campaign. - MINWEIGHTTOFAIL 23 SKIPIFWEIGHT 250 REVDNS END ENDSWITH .smarsh.com HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138 BODY 1 CONTAINS META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR BODY 1 CONTAINS META content=MSHTML 6.00.2900.3132 name=GENERATOR BODY 1 CONTAINS STYLE/STYLE BODY 1 CONTAINS DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML BODY 1 CONTAINS DIVFONT face=Arial size=2/FONTnbsp;/DIV/BODY/HTML BODY 10 CONTAINS Content-Type: application/pdf; - My delete weight is 250, so I skip if it has already reached that weight. Smarsh sends one of our customers a lot of PDFs, so I made sure their emails wouldn't trigger this. There are liable to be FPs, so I would weight this enough to hold, but not to delete. Darin. - Original Message - From: Todd Richards To: declude.junkmail@declude.com Sent: Tuesday, August 07, 2007 9:39 PM Subject: RE: [Declude.JunkMail] New PDF worm? I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 8:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks
RE: [Declude.JunkMail] New PDF worm?
1. Can you send the one that did not trigger? 2. If it did trigger the idea is to give the filter a base value ie. SPAM-PDF filter path\SPAM-PDF.txtx 8 0 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 9:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 8:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
Did it trigger at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 9:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came
RE: [Declude.JunkMail] New PDF worm?
No, didn't trigger at all. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 9:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Did it trigger at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 9:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: [Declude.JunkMail] New PDF worm?
Thanks Darin. I have adjusted for me, and will see what happens. Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, August 07, 2007 9:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New PDF worm? I whipped this up mid afternoon, and it's catching them for us. An earlier version this morning didn't catch the entire campaign. - MINWEIGHTTOFAIL 23 SKIPIFWEIGHT 250 REVDNS END ENDSWITH .smarsh.com HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138 BODY 1 CONTAINS META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR BODY 1 CONTAINS META content=MSHTML 6.00.2900.3132 name=GENERATOR BODY 1 CONTAINS STYLE/STYLE BODY 1 CONTAINS DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML BODY 1 CONTAINS DIVFONT face=Arial size=2/FONTnbsp;/DIV/BODY/HTML BODY 10 CONTAINS Content-Type: application/pdf; - My delete weight is 250, so I skip if it has already reached that weight. Smarsh sends one of our customers a lot of PDFs, so I made sure their emails wouldn't trigger this. There are liable to be FPs, so I would weight this enough to hold, but not to delete. Darin. - Original Message - From: Todd Richards mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, August 07, 2007 9:39 PM Subject: RE: [Declude.JunkMail] New PDF worm? I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one... Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 8:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL
RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Cool. Thanks. I also found that our Sniffer definition file hadn't been updated since Jun 30. We have a scheduled task to update it every four hours. I'm trying to figure out why that stopped working. Anyone have a filter file built for car sales, car financing, etc? My boss got a bunch of car related spam over the weekend. Having Sniffer updated might fix that anyway, but... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 11:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Could someone explain further how this filter works and what it is doing... it is adding weight to all PDF's or is this searhcing for some common element present in the PDF Spams? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 1:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
The first line is comparing the encoding for the PDF file which all tend to be the same, however be sure to read the post by Pete regarding False positives. The second part is looking for a blank email with a PDF attachment the regular expression was provided by Matt. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Monday, July 02, 2007 2:05 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Could someone explain further how this filter works and what it is doing... it is adding weight to all PDF's or is this searhcing for some common element present in the PDF Spams? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 1:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Yep. Darin. - Original Message - From: SJ.Stanaitis To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:17 AM Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
SJ, they're not viruses, they're spam sent from zombies. Probably pump and dump stock spam, and if they're like what I've been seeing, they have the same anti-OCR techniques that were previously sent as jpg. http://www.mail-archive.com/[EMAIL PROTECTED]/msg03447.html and: http://isc.sans.org/diary.html?storyid=3012 and: http://www.heise-security.co.uk/news/91523 Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 8:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
SJ, Andrew posted a blurb from SANS a couple of days ago. Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment. These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism. They even contain the following disclaimer: “This is not an offer to buy or sell any security. German Stock Insider discloses that they were paid ten thousand Euros for distribution of this report.” The messages are usually sent to [EMAIL PROTECTED] with an attachment name of name_report.pdf. Apparently they are distributed most to .com and .org domains, though most of the reports we’ve received were from Europe. Each of the reports so far has had an MD5 hash of 2e4b2158909f276942dadf6a0b621b1a. Thanks to Günter for reporting his findings. - Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. SJ.Stanaitis wrote: I’m getting gobs of PDF’s snagged in my antispam filter, they’re not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - //Network Administrator// Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Hi David, What's the CB-ATTACH.txt filter? Darin. - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:24 AM Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
It is a filter I use to reduce the weights on attachments not likely to be spam, you can log into your account at Declude and download the sample filters. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, June 27, 2007 12:20 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New PDF worm? Hi David, What's the CB-ATTACH.txt filter? Darin. - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:24 AM Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
I'll suggest an alternative to this. If you're using the CB-ATTACH filter and you want to keep it without giving spammers too much entry, use an END filter with your blacklist tests. If the sender's IP address is in the blacklist, the CB-ATTACH test will stop. This will still counterweight PDF spammers who are not in a blacklist yet, but perhaps that is an acceptable balance to you. TESTSFAILED END CONTAINS XBL TESTSFAILED END CONTAINS SPAMCOP BODY -10 PCRE (?i:Content-Type: application/pdf;) etc. ... Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 27, 2007 8:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Great idea. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 27, 2007 12:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I'll suggest an alternative to this. If you're using the CB-ATTACH filter and you want to keep it without giving spammers too much entry, use an END filter with your blacklist tests. If the sender's IP address is in the blacklist, the CB-ATTACH test will stop. This will still counterweight PDF spammers who are not in a blacklist yet, but perhaps that is an acceptable balance to you. TESTSFAILED END CONTAINS XBL TESTSFAILED END CONTAINS SPAMCOP BODY -10 PCRE (?i:Content-Type: application/pdf;) etc. ... Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 27, 2007 8:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.