Any more revisions to this filter?
Tuesday, August 7, 2007, 9:34:43 PM, David Barker [EMAIL PROTECTED] wrote:
1. Can you send the one that did not trigger?
2. If it did trigger the idea is to give the filter a base value ie.
SPAM-PDF filter path\SPAM-PDF.txtx 8
: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
David -
I sent you about 10 off-list.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm
Thanks. I'll give it a try.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
this.
There are liable to be FPs, so I would weight this enough to hold, but not to
delete.
Darin.
- Original Message -
From: Todd Richards
To: declude.junkmail@declude.com
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did
: Tuesday, August 07, 2007 9:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have
to be careful that you don't stop
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL
No, didn't trigger at all.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 9:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto
Thanks Darin. I have adjusted for me, and will see what happens.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] New PDF worm?
I whipped this up
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been
\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm
1:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim
Comerford
Sent: Monday, July 02, 2007 2:05 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Could someone explain further how this filter works and what it is doing...
it is adding weight to all PDF's
Yep.
Darin.
- Original Message -
From: SJ.Stanaitis
To: declude.junkmail@declude.com
Sent: Wednesday, June 27, 2007 11:17 AM
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering
any AV yet, anyone else seeing
Yes I am seeing the same thing although when I run the pdf through a virus
check it comes up clean. I opened one of the files and it was just stock
spam. If anyone is running the
CB-ATTACH.txt filter I would suggest commenting out this line for now.
#BODY -10 PCRE
SJ, they're not viruses, they're spam sent from zombies.
Probably pump and dump stock spam, and if they're like what I've been
seeing, they have the same anti-OCR techniques that were previously sent
as jpg.
http://www.mail-archive.com/[EMAIL PROTECTED]/msg03447.html
and:
SJ,
Andrew posted a blurb from SANS a couple of days ago.
Pump and dump scams now in PDF
Published: 2007-06-20,
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)
Apparently the groups behind what we know as pump and dump spam have
found a new way to bypass spam
Hi David,
What's the CB-ATTACH.txt filter?
Darin.
- Original Message -
From: David Barker
To: declude.junkmail@declude.com
Sent: Wednesday, June 27, 2007 11:24 AM
Subject: RE: [Declude.JunkMail] New PDF worm?
Yes I am seeing the same thing although when I run the pdf through
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] New PDF worm?
Hi David,
What's the CB-ATTACH.txt filter?
Darin.
- Original Message -
From: David Barker mailto:[EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Wednesday, June 27, 2007 11:24 AM
Subject: RE
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of David Barker
Sent: Wednesday, June 27, 2007 8:24 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Yes I am seeing the same thing although when I run the pdf
through a virus
Great idea.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
Andrew
Sent: Wednesday, June 27, 2007 12:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I'll suggest an alternative to this.
If you're using the CB-ATTACH filter
29 matches
Mail list logo
