Re: [Declude.JunkMail] New PDF worm?
Any more revisions to this filter?
Tuesday, August 7, 2007, 9:34:43 PM, David Barker [EMAIL PROTECTED] wrote:
1. Can you send the one that did not trigger?
2. If it did trigger the idea is to give the filter a base value ie.
SPAM-PDF filter path\SPAM-PDF.txtx 8 0
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfTodd Richards
Sent:Tuesday, August 07, 2007 9:39 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it wasn't enough to stop it from making it through. On the flip side, you have to be careful that you don't stop legitimate PDF files. Kind of a tough one...
Todd
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom
Sent:Tuesday, August 07, 2007 8:02 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
It didnt work.
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfTodd Richards
Sent:Tuesday, August 07, 2007 6:39 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker
Sent:Tuesday, August 07, 2007 6:23 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker
Sent:Tuesday, August 07, 2007 6:45 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom
Sent:Tuesday, August 07, 2007 5:25 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you knock off for the day Id appreciate it. Weve probably had 50 of them get through already today.
Thanks,
Dave
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker
Sent:Tuesday, August 07, 2007 4:03 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send me some examples as attachments.
David B
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDave Beckstrom
Sent:Tuesday, August 07, 2007 3:15 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and weve had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using?
Thanks!
Dave
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfDavid Barker
Sent:Monday, July 02, 2007 12:35 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;)
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfKatie LaSalle-Lowery
Sent:Monday, July 02, 2007 1:28 PM
To:declude.junkmail@declude.com
Subject:RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last few weeks...
Thanks,
Katie
From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfSJ.Stanaitis
Sent:Wednesday, June 27, 2007 9:17 AM
To:declude.junkmail@declude.com
Subject:[Declude.JunkMail] New PDF worm?
Im getting gobs of PDFs snagged in my antispam filter, theyre not triggering any AV yet, anyone else seeing this?
SJ.Stanaitis -Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at
RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
David -
I sent you about 10 off-list.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.MINWEIGHTTOFAIL 5
BODYEND NOTCONTAINS application/pdf;
BODY5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type:
application/pdf;)
BODY5 PCRE ((?=attachments are
handled./BODY/HTML).*Content-Type: application/pdf
RE: [Declude.JunkMail] New PDF worm?
Thanks. I'll give it a try.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have
to be careful that you don't stop legitimate PDF files. Kind of a tough
one...
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail
Re: [Declude.JunkMail] New PDF worm?
I whipped this up mid afternoon, and it's catching them for us. An earlier
version this morning didn't catch the entire campaign.
-
MINWEIGHTTOFAIL 23
SKIPIFWEIGHT 250
REVDNS END ENDSWITH .smarsh.com
HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138
BODY 1 CONTAINS META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR
BODY 1 CONTAINS META content=MSHTML 6.00.2900.3132 name=GENERATOR
BODY 1 CONTAINS STYLE/STYLE
BODY 1 CONTAINS DIVFONT face=3DArial
size=3D2/FONTnbsp;/DIV/BODY/HTML
BODY 1 CONTAINS DIVFONT face=Arial size=2/FONTnbsp;/DIV/BODY/HTML
BODY 10 CONTAINS Content-Type: application/pdf;
-
My delete weight is 250, so I skip if it has already reached that weight.
Smarsh sends one of our customers a lot of PDFs, so I made sure their emails
wouldn't trigger this.
There are liable to be FPs, so I would weight this enough to hold, but not to
delete.
Darin.
- Original Message -
From: Todd Richards
To: declude.junkmail@declude.com
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have to
be careful that you don't stop legitimate PDF files. Kind of a tough one...
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send me
some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type:
application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings are
you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks
RE: [Declude.JunkMail] New PDF worm?
1. Can you send the one that did not trigger?
2. If it did trigger the idea is to give the filter a base value ie.
SPAM-PDF filter path\SPAM-PDF.txtx 8
0
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 9:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have
to be careful that you don't stop legitimate PDF files. Kind of a tough
one...
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came
RE: [Declude.JunkMail] New PDF worm?
No, didn't trigger at all.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 9:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Did it trigger at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com
RE: [Declude.JunkMail] New PDF worm?
Thanks Darin. I have adjusted for me, and will see what happens.
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] New PDF worm?
I whipped this up mid afternoon, and it's catching them for us. An earlier
version this morning didn't catch the entire campaign.
-
MINWEIGHTTOFAIL 23
SKIPIFWEIGHT 250
REVDNS END ENDSWITH .smarsh.com
HEADERS 10 CONTAINS X-Mailer: Microsoft Outlook Express 6.00.2900.3138
BODY 1 CONTAINS META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR
BODY 1 CONTAINS META content=MSHTML 6.00.2900.3132 name=GENERATOR
BODY 1 CONTAINS STYLE/STYLE
BODY 1 CONTAINS DIVFONT face=3DArial
size=3D2/FONTnbsp;/DIV/BODY/HTML
BODY 1 CONTAINS DIVFONT face=Arial
size=2/FONTnbsp;/DIV/BODY/HTML
BODY 10 CONTAINS Content-Type: application/pdf;
-
My delete weight is 250, so I skip if it has already reached that weight.
Smarsh sends one of our customers a lot of PDFs, so I made sure their emails
wouldn't trigger this.
There are liable to be FPs, so I would weight this enough to hold, but not
to delete.
Darin.
- Original Message -
From: Todd Richards mailto:[EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Tuesday, August 07, 2007 9:39 PM
Subject: RE: [Declude.JunkMail] New PDF worm?
I received one right away too. It did trigger, but with a weight of 5 it
wasn't enough to stop it from making it through. On the flip side, you have
to be careful that you don't stop legitimate PDF files. Kind of a tough
one...
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 8:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
It didn't work.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Thanks David. We'll (ok, I'll) give it a whirl!
Todd
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Ok this should hold it over till I can look at it some more tomorrow.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
This is not an easy one I will see what I can get done before I leave today.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
David,
I just sent you a bunch of samples. If you can update the filter before you
knock off for the day I'd appreciate it. We've probably had 50 of them get
through already today.
Thanks,
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through
today. Does the filter need to be revised or is there some other method I
should be looking into using?
Thanks!
Dave
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL
RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Cool. Thanks.
I also found that our Sniffer definition file hadn't been updated since Jun
30. We have a scheduled task to update it every four hours. I'm trying to
figure out why that stopped working.
Anyone have a filter file built for car sales, car financing, etc? My boss
got a bunch of car related spam over the weekend. Having Sniffer updated
might fix that anyway, but...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 11:35 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Could someone explain further how this filter works and what it is doing...
it is adding weight to all PDF's or is this searhcing for some common
element present in the PDF Spams?
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 1:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
The first line is comparing the encoding for the PDF file which all tend to
be the same, however be sure to read the post by Pete regarding False
positives. The second part is looking for a blank email with a PDF
attachment the regular expression was provided by Matt.
David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim
Comerford
Sent: Monday, July 02, 2007 2:05 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Could someone explain further how this filter works and what it is doing...
it is adding weight to all PDF's or is this searhcing for some common
element present in the PDF Spams?
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 1:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46
BODY 3 PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)
BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?
We've been suffering .pdf spam getting through the filter. What settings
are you using that's identifying these as spam?
We're seeing an overall increase in spam getting through the filter the last
few weeks...
Thanks,
Katie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?
I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?
SJ.Stanaitis - Network Administrator
Decorative Product Source, Inc.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Yep. Darin. - Original Message - From: SJ.Stanaitis To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:17 AM Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
SJ, they're not viruses, they're spam sent from zombies. Probably pump and dump stock spam, and if they're like what I've been seeing, they have the same anti-OCR techniques that were previously sent as jpg. http://www.mail-archive.com/[EMAIL PROTECTED]/msg03447.html and: http://isc.sans.org/diary.html?storyid=3012 and: http://www.heise-security.co.uk/news/91523 Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 8:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
SJ, Andrew posted a blurb from SANS a couple of days ago. Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment. These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism. They even contain the following disclaimer: “This is not an offer to buy or sell any security. German Stock Insider discloses that they were paid ten thousand Euros for distribution of this report.” The messages are usually sent to [EMAIL PROTECTED] with an attachment name of name_report.pdf. Apparently they are distributed most to .com and .org domains, though most of the reports we’ve received were from Europe. Each of the reports so far has had an MD5 hash of 2e4b2158909f276942dadf6a0b621b1a. Thanks to Günter for reporting his findings. - Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. SJ.Stanaitis wrote: I’m getting gobs of PDF’s snagged in my antispam filter, they’re not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - //Network Administrator// Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
Hi David, What's the CB-ATTACH.txt filter? Darin. - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:24 AM Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
It is a filter I use to reduce the weights on attachments not likely to be spam, you can log into your account at Declude and download the sample filters. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, June 27, 2007 12:20 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New PDF worm? Hi David, What's the CB-ATTACH.txt filter? Darin. - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, June 27, 2007 11:24 AM Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
I'll suggest an alternative to this. If you're using the CB-ATTACH filter and you want to keep it without giving spammers too much entry, use an END filter with your blacklist tests. If the sender's IP address is in the blacklist, the CB-ATTACH test will stop. This will still counterweight PDF spammers who are not in a blacklist yet, but perhaps that is an acceptable balance to you. TESTSFAILED END CONTAINS XBL TESTSFAILED END CONTAINS SPAMCOP BODY -10 PCRE (?i:Content-Type: application/pdf;) etc. ... Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 27, 2007 8:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Great idea. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, June 27, 2007 12:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I'll suggest an alternative to this. If you're using the CB-ATTACH filter and you want to keep it without giving spammers too much entry, use an END filter with your blacklist tests. If the sender's IP address is in the blacklist, the CB-ATTACH test will stop. This will still counterweight PDF spammers who are not in a blacklist yet, but perhaps that is an acceptable balance to you. TESTSFAILED END CONTAINS XBL TESTSFAILED END CONTAINS SPAMCOP BODY -10 PCRE (?i:Content-Type: application/pdf;) etc. ... Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 27, 2007 8:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
