date:20070807

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Todd Richards

Thanks Darin.  I have adjusted for me, and will see what happens.
 
Todd
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] New PDF worm?


I whipped this up mid afternoon, and it's catching them for us.  An earlier
version this morning didn't catch the entire campaign.
 
 -
MINWEIGHTTOFAIL 23 
 
SKIPIFWEIGHT 250
 
REVDNS  END ENDSWITH .smarsh.com
 
HEADERS  10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138
 
BODY  1 CONTAINS 
BODY  1 CONTAINS 
 
BODY  1 CONTAINS 
 
BODY  1 CONTAINS  
BODY  1 CONTAINS  
 
BODY  10 CONTAINS Content-Type: application/pdf;
-
 
My delete weight is 250, so I skip if it has already reached that weight.
 
Smarsh sends one of our customers a lot of PDFs, so I made sure their emails
wouldn't trigger this.
 
There are liable to be FPs, so I would weight this enough to hold, but not
to delete.

Darin.
 
 
- Original Message - 
From: Todd Richards   
To: declude.junkmail@declude.com 
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?

I received one right away too.  It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through.  On the flip side, you have
to be careful that you don't stop legitimate PDF files.  Kind of a tough
one...
 
Todd
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?



It didn't work.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Dave Beckstrom

No, didn't trigger at all.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 9:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Did it trigger at all?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

It didn't work.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Thanks David.  We'll (ok, I'll) give it a whirl!

Todd

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

David

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

This is not an easy one I will see what I can get done before I leave today.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

David,

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

Thanks,

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?

Thanks!

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

Thanks, 

Katie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-arch

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread David Barker

Did it trigger at all?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

It didn't work.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Thanks David.  We'll (ok, I'll) give it a whirl!

Todd

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

David

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

This is not an easy one I will see what I can get done before I leave today.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

David,

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

Thanks,

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?

Thanks!

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

Thanks, 

Katie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread David Barker

 

1.   Can you send the one that did not trigger?

2.   If it did trigger the idea is to give the filter a base value ie.

 

SPAM-PDF  filter  path\SPAM-PDF.txtx  8
0

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 9:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I received one right away too.  It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through.  On the flip side, you have
to be careful that you don't stop legitimate PDF files.  Kind of a tough
one...

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

It didn't work.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the

Re: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Darin Cox

I whipped this up mid afternoon, and it's catching them for us.  An earlier 
version this morning didn't catch the entire campaign.

 -
MINWEIGHTTOFAIL 23

SKIPIFWEIGHT 250

REVDNS  END ENDSWITH .smarsh.com

HEADERS  10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138

BODY  1 CONTAINS 
BODY  1 CONTAINS 

BODY  1 CONTAINS 

BODY  1 CONTAINS  
BODY  1 CONTAINS  

BODY  10 CONTAINS Content-Type: application/pdf;
-

My delete weight is 250, so I skip if it has already reached that weight.

Smarsh sends one of our customers a lot of PDFs, so I made sure their emails 
wouldn't trigger this.

There are liable to be FPs, so I would weight this enough to hold, but not to 
delete.

Darin.


- Original Message - 
From: Todd Richards 
To: declude.junkmail@declude.com 
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?


I received one right away too.  It did trigger, but with a weight of 5 it 
wasn't enough to stop it from making it through.  On the flip side, you have to 
be careful that you don't stop legitimate PDF files.  Kind of a tough one...

Todd





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?


It didn't work.

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you 
knock off for the day I'd appreciate it.  We've probably had 50 of them get 
through already today.

 

Thanks,


Dave

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send me 
>some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through 
today.  Does the filter need to be revised or is there some other method I 
should be looking into using?


Thanks!

 

Dave

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your 
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE 
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: 
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: 
application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie 
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings are 
you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last 
few weeks...

 

Thanks, 

Katie

 

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis
Sent: Wednesday, June 27,

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Todd Richards

I received one right away too.  It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through.  On the flip side, you have
to be careful that you don't stop legitimate PDF files.  Kind of a tough
one...
 
Todd
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?



It didn't work.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
Th

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Dave Beckstrom

It didn't work.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Thanks David.  We'll (ok, I'll) give it a whirl!

Todd

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

David

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

This is not an easy one I will see what I can get done before I leave today.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

David,

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

Thanks,

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?

Thanks!

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

Thanks, 

Katie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Todd Richards

Thanks David.  We'll (ok, I'll) give it a whirl!
 
Todd
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?



Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from th

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Dave Beckstrom

Thanks.  I'll give it a try.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

David

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

This is not an easy one I will see what I can get done before I leave today.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

David,

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

Thanks,

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?

Thanks!

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

Thanks, 

Katie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread David Barker

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.MINWEIGHTTOFAIL 5

BODYEND NOTCONTAINS application/pdf;

BODY5   PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: 
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: 
application/pdf;)
BODY5   PCRE ((?<=attachments are 
handled.).*Content-Type: application

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread David Barker

This is not an easy one I will see what I can get done before I leave today.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

David,

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

Thanks,

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

David B

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?

Thanks!

Dave

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

Thanks, 

Katie

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Todd Richards

David -
 
I sent you about 10 off-list.
 
Todd
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?



>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Dave Beckstrom

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread David Barker

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

2007-08-07 Thread Dave Beckstrom

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Decludeproc Problems - Resolved

2007-08-07 Thread Todd Richards


Good morning everyone -

As you may remember, I had a major problem with the decludeproc service
crashing on my server over the weekend.  I posted yesterday that, with
Linda's help, we figured out the problem.  I had a request off-list that I
reveal the solution in case others came across the same thing.

It turned out that one of my filters was causing the issue.  With Linda's
help, we went through the global.cfg file and commented out most of "my"
filters until decludeproc wouldn't crash anymore (for the rookies out there
like me, the \imail\proc\review folder started to fill up when the service
crashed).  We had an idea of which filter it was, so once we had the service
running ok, we would uncomment the filter in the global.cfg file.  Sure
enough, it crashed again.  With it "out of the picture", decludeproc would
run fine.

I then went through and slowly uncommented the filters we thought were ok,
checking the service each time.  Linda thought the problem might be the
result of my novice attempts at using regular expressions (PCRE) in my
filters.  After I had confirmed it was the filter we suspected, I went
through and commented out the last several PCRE lines I had added.  With
that, I could once again turn the filter on and decludeproc would run fine.

So I have narrowed it down to a few possible PCRE entries that were causing
the issue.  When I have some time in the next few days, I will probably work
with each entry to figure out exactly which one it is.  

I thought I was starting to get the hang of the PCRE expressions.  However,
the decludeproc service has "slapped" me back to reality.  At least now I
realize that I need to be more careful when adding these entries, and what
the result is if I'm not!

Todd



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

Re: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

RE: [Declude.JunkMail] New PDF worm?

[Declude.JunkMail] Decludeproc Problems - Resolved

16 matches

Site Navigation

Mail list logo

Footer information