Re: PDF spam

Alex, >> What is the name of the plugin you're referring to? It's not PDFInfo, >> correct? It's called Pdf.pm (note the unusual capitalization) or PDFassassin and starts with something saying: # PDF scan, inspired by Ocr.pm # For more details see # http://blog.atmail.com/?p=61 I cannot

Re: PDF spam

Am 04.04.2016 um 01:18 schrieb Martin Gregorie: On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote: Am 03.04.2016 um 20:56 schrieb Martin Gregorie: None of these file extensions appear in my dangerous attachments rule. Maybe .DOC should be included, but it isn't and I simply don't

Re: PDF spam

On Sun, 2016-04-03 at 17:42 -0400, Alex wrote: > > Do you have any rules for your fake invoice detection (perhaps > pseudocode?) that you'd like to share? > Not as concrete rules, partly because, just as everybody's spam streams are different, so my specific rules probably won't work for your

Re: PDF spam

On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote: > > > Am 03.04.2016 um 20:56 schrieb Martin Gregorie: > > > > > > None of these file extensions appear in my dangerous attachments > > rule. > > Maybe .DOC should be included, but it isn't and I simply don't > > remember > > if MSWord

Re: PDF spam

with the smallest modification, it becomes ineffective. It's also always chasing something after the fact. I also wouldn't expect that exact phrase to hit very many times in your archive because there are just so many possible variations. I only said it was common language, not that it's frequent. I

Re: PDF spam

Am 03.04.2016 um 20:56 schrieb Martin Gregorie: None of these file extensions appear in my dangerous attachments rule. Maybe .DOC should be included, but it isn't and I simply don't remember if MSWord supported macros back then (2004) MS word supports macros for more than a decade with

Re: PDF spam

On Sun, 2016-04-03 at 09:47 -0400, Alex wrote: > Hi, > > > > > > > > > There's very little text in the body, so I suspect that's why > > > bayes > > > is confused. PDF invoices and conversations involving "payment" > > > and > > > "invoice" are not all that uncommon. > > > > > True, but this

Re: PDF spam

Hi, >> There's very little text in the body, so I suspect that's why bayes >> is confused. PDF invoices and conversations involving "payment" and >> "invoice" are not all that uncommon. >> > True, but this type of spam often contains odd or somewhat archaic > phrases. I find that a local rule

Re: PDF spam

On 1 Apr 2016, at 13:25, Alex wrote: > There's very little text in the body, so I suspect that's why bayes is > confused. PDF invoices and conversations involving "payment" and > "invoice" are not all that uncommon. Ones which aren't sent to anyone in particular are quite rare. (but since I

Re: PDF spam

Alex, > Has anyone else seen an increase in PDF invoice spam with just a link > in it? The centurylink IP is now blacklisted, but obviously it wasn't > when this was received. The link contained in the PDF has also already > been disabled, but obviously wasn't when this was received. > > I'd

Re: PDF spam

> On Apr 1, 2016, at 4:11 PM, Martin Gregorie wrote: > > On Fri, 2016-04-01 at 13:25 -0400, Alex wrote: >> Hi all, >> >> Has anyone else seen an increase in PDF invoice spam with just a link >> in it? The centurylink IP is now blacklisted, but obviously it wasn't >> when

Re: PDF spam

On Fri, 2016-04-01 at 13:25 -0400, Alex wrote: > Hi all, > > Has anyone else seen an increase in PDF invoice spam with just a link > in it? The centurylink IP is now blacklisted, but obviously it wasn't > when this was received. The link contained in the PDF has also > already > been disabled,

PDF spam

Hi all, Has anyone else seen an increase in PDF invoice spam with just a link in it? The centurylink IP is now blacklisted, but obviously it wasn't when this was received. The link contained in the PDF has also already been disabled, but obviously wasn't when this was received. I'd really

Larg PDF Spam

I'm seeing a set of spam, with some very regular easily trapped text in their headers/body, but with large PDF files that push the size of the mail outside the 256K limit for running SA. Anyone have any experience raising that limit? How high can we go before it really starts to impact

Re: Larg PDF Spam

On Thu, 3 Sep 2009, Charles Gregory wrote: I'm seeing a set of spam, with some very regular easily trapped text in their headers/body, but with large PDF files that push the size of the mail outside the 256K limit for running SA. Anyone have any experience raising that limit? How high can we

Re: Larg PDF Spam

On Thu, 2009-09-03 at 11:20 -0400, Charles Gregory wrote: I'm seeing a set of spam, with some very regular easily trapped text in their headers/body, but with large PDF files that push the size of the mail outside the 256K limit for running SA. That's your limit. ;) The default for spamc is

Re: PDF-Spam passing SA

! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? Ove Starckjohann -- View this message in context: http

Re: PDF-Spam passing SA

But funny thing, my SA can't filter PDF spam if it was sent in regular way. I mean it passes it throught without scoring it. Yours was triggered as spam when I checked it with: spamassassin -t -D message.eml Eugene Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing through

Re: PDF-Spam passing SA

BODY: TVD_SPACE_RATIO 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint -0.9 AWLAWL: From: address is in the auto white-list Eugene Yet Another Ninja wrote: On 8/8/2007 10:54 AM, Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing

PDF-Spam passing SA

Hi! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? Ove Starckjohann

Re: PDF-Spam passing SA

On 8/8/2007 10:54 AM, Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? With PDFinfo you can

PDF spam

greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak

Re: PDF spam

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak Hey, you can use the PDFInfo plugin for spamassassin

Re: PDF spam

Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing. http://www.rulesemporium.com/plugins.htm Personally, I've been

Re: PDF spam

Matt Kettler skrev: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing. http://www.rulesemporium.com/plugins.htm

Re: PDF spam

Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing. http://www.rulesemporium.com/plugins.htm

Re: PDF spam

On 7/19/2007 1:10 PM, Anders Norrbring wrote: Matt Kettler skrev: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing.

Re: PDF spam

Yet Another Ninja skrev: On 7/19/2007 1:10 PM, Anders Norrbring wrote: Matt Kettler skrev: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed

Re: PDF spam

R.Smits wrote: Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing.

Re: PDF spam

On Thu, 19 Jul 2007 at 07:41 -0500, [EMAIL PROTECTED] confabulated: R.Smits wrote: Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium

Re: PDF spam

On Thursday 19 July 2007, R.Smits wrote: Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing.

Re: PDF spam

Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind of thing.

Re: PDF spam

Gene Heskett skrev: On Thursday 19 July 2007, R.Smits wrote: Matt Kettler wrote: Tarak Ranjan wrote: greetings, i'm getting pdf attached spam. please help me stop that using spamassassin... Horacio_FILE_506292_6906.pdf /tarak The PDFInfo plugin from rulesemporium is designed for this kind

Re: PDF spam

On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote: i'm getting pdf attached spam. please help me stop that using spamassassin... Are you using sa-update? -- Randomly Selected Tagline: Shell programming can be a difficult lesson in frustration. - Linux

RE: PDF spam

-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Thursday, July 19, 2007 11:06 AM To: users@spamassassin.apache.org Subject: Re: PDF spam On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote: i'm getting pdf attached spam. please help me stop that using

Re: PDF spam

Hi! Personally, I've been able to keep them under control with good bayes training, automated training by spamtraps, and a selective greylist, so I have not yet tried this plugin. Plugin seems to work great, but is it stable enough for big production environments ? Any issues ? It sure is.

Catching .pdf Spam

://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11669157 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Catching .pdf Spam

On Wed, Jul 18, 2007 at 06:52:40AM -0700, nws.charlie wrote: more as spam). Can anyone tell me if there is already a ruleset that I should be using? Run sa-update, there's a rule already in there. -- Randomly Selected Tagline: Human female: All in all. This is one day that mitten the kitten

Re: Catching .pdf Spam

On Wed, 18 Jul 2007, nws.charlie wrote: I have noticed that 98% of the spam with pdf attachments is being sent from Thunderbird. I wrote a few rules and added them to my local.cf. Here is the main one that is working. I am catching most of the spam with this. Does anyone see anything

Re: Catching .pdf Spam

nws.charlie wrote: I am catching most of the spam with this. Does anyone see anything negative about a rule like this? header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i metaLOCAL_PDF_VIA_THUNDERBIRD

Re: Catching .pdf Spam

/spamassassin/.. Do I misunderstand, or do we have something configured wrong? Thanks for your replies! MW Theo Van Dinter-2 wrote: Run sa-update, there's a rule already in there. -- View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11674168 Sent

Re: Catching .pdf Spam

On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote: automatically twice a day. The updates are happening as scheduled, and being placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to be ignoring the rules there. Why do you say that? Does spamassassin --lint -D

Re: Catching .pdf Spam

://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11675276 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

new pdf spam caught by upgraded pdfinfo plugin

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, @ll the newest version of pdfinfo plugin matched some new pdf spam right now * 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match * 3D4E25DE4A05695681D694716D579474 well done ! - -- Mit freundlichen Gruessen Best Regards Robert

sample of new style PDF spam (containing embedded link, no image)

Here's a new style of PDF spam (recipient email address is munged): http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml This time, it (apparently) is plain text with a link to an ED site, with rather explicit language. I've only found two of these so far. From a technical point

Re: sample of new style PDF spam (containing embedded link, no image)

At 12:49 05-07-2007, Chip M. wrote: Here's a new style of PDF spam (recipient email address is munged): [snip] - uses application/octet-stream instead of application/pdf as the Content-Type From your sample: Content-Type: application/octet-stream; name=Message.pdf You could match

Re: sample of new style PDF spam (containing embedded link, no image)

At 01:09 PM 7/5/2007 -0700, you wrote: You could match on the application/octet-steam and the file extension being .pdf. Good idea, but sorry, I should have been clearer (my BIM): I meant use that in COMBINATION with OTHER signs, mainly to detect the difference between the two styles. To clear

Re: sample of new style PDF spam (containing embedded link, no image)

I receive quite a few legitimate pdf attachments - half of them are pdf type, the other half is octet-string (but they are usually A4 paper size) Wolfgang Hamann Here's a new style of PDF spam (recipient email address is munged): [snip] - uses application/octet-stream instead

PDF spam indicator: unusual document dimensions?

In today's SANS diary: During the last two days, we've received continuous reports of new PDF spam. This time the pages attached are generally of different size each time (no longer A4, but 4x3 inch or 6x1 inch). Might a non-standard-paper-size PDF attachment be worth a point? -- John

pdf spam solution idea

Hi, its come up several times now that people ask for a way to directly detect pdf spam by the pdf content and not only through headers or other means (hashes, bayes). I've found a solution that should be pretty easy to realise in a Fuzzy-OCR like plugin. Here is what it should do: Use xpdf

Re: pdf spam solution idea

arni wrote: Hi, its come up several times now that people ask for a way to directly detect pdf spam by the pdf content and not only through headers or other means (hashes, bayes). I've found a solution that should be pretty easy to realise in a Fuzzy-OCR like plugin. Here is what it should