Alex,
>> What is the name of the plugin you're referring to? It's not PDFInfo,
>> correct?
It's called Pdf.pm (note the unusual capitalization) or PDFassassin and
starts with something saying:
# PDF scan, inspired by Ocr.pm
# For more details see
# http://blog.atmail.com/?p=61
I cannot
Am 04.04.2016 um 01:18 schrieb Martin Gregorie:
On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote:
Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
None of these file extensions appear in my dangerous attachments
rule.
Maybe .DOC should be included, but it isn't and I simply don't
On Sun, 2016-04-03 at 17:42 -0400, Alex wrote:
>
> Do you have any rules for your fake invoice detection (perhaps
> pseudocode?) that you'd like to share?
>
Not as concrete rules, partly because, just as everybody's spam streams
are different, so my specific rules probably won't work for your
On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote:
>
>
> Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
> >
> >
> > None of these file extensions appear in my dangerous attachments
> > rule.
> > Maybe .DOC should be included, but it isn't and I simply don't
> > remember
> > if MSWord
with the smallest modification, it becomes
ineffective. It's also always chasing something after the fact.
I also wouldn't expect that exact phrase to hit very many times in
your archive because there are just so many possible variations. I
only said it was common language, not that it's frequent.
I
Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
None of these file extensions appear in my dangerous attachments rule.
Maybe .DOC should be included, but it isn't and I simply don't remember
if MSWord supported macros back then (2004)
MS word supports macros for more than a decade
with
On Sun, 2016-04-03 at 09:47 -0400, Alex wrote:
> Hi,
>
> >
> > >
> > > There's very little text in the body, so I suspect that's why
> > > bayes
> > > is confused. PDF invoices and conversations involving "payment"
> > > and
> > > "invoice" are not all that uncommon.
> > >
> > True, but this
Hi,
>> There's very little text in the body, so I suspect that's why bayes
>> is confused. PDF invoices and conversations involving "payment" and
>> "invoice" are not all that uncommon.
>>
> True, but this type of spam often contains odd or somewhat archaic
> phrases. I find that a local rule
On 1 Apr 2016, at 13:25, Alex wrote:
> There's very little text in the body, so I suspect that's why bayes is
> confused. PDF invoices and conversations involving "payment" and
> "invoice" are not all that uncommon.
Ones which aren't sent to anyone in particular are quite rare.
(but since I
Alex,
> Has anyone else seen an increase in PDF invoice spam with just a link
> in it? The centurylink IP is now blacklisted, but obviously it wasn't
> when this was received. The link contained in the PDF has also already
> been disabled, but obviously wasn't when this was received.
>
> I'd
> On Apr 1, 2016, at 4:11 PM, Martin Gregorie wrote:
>
> On Fri, 2016-04-01 at 13:25 -0400, Alex wrote:
>> Hi all,
>>
>> Has anyone else seen an increase in PDF invoice spam with just a link
>> in it? The centurylink IP is now blacklisted, but obviously it wasn't
>> when
On Fri, 2016-04-01 at 13:25 -0400, Alex wrote:
> Hi all,
>
> Has anyone else seen an increase in PDF invoice spam with just a link
> in it? The centurylink IP is now blacklisted, but obviously it wasn't
> when this was received. The link contained in the PDF has also
> already
> been disabled,
Hi all,
Has anyone else seen an increase in PDF invoice spam with just a link
in it? The centurylink IP is now blacklisted, but obviously it wasn't
when this was received. The link contained in the PDF has also already
been disabled, but obviously wasn't when this was received.
I'd really
I'm seeing a set of spam, with some very regular easily trapped
text in their headers/body, but with large PDF files that push
the size of the mail outside the 256K limit for running SA.
Anyone have any experience raising that limit? How high can we
go before it really starts to impact
On Thu, 3 Sep 2009, Charles Gregory wrote:
I'm seeing a set of spam, with some very regular easily trapped text in
their headers/body, but with large PDF files that push the size of the
mail outside the 256K limit for running SA.
Anyone have any experience raising that limit? How high can we
On Thu, 2009-09-03 at 11:20 -0400, Charles Gregory wrote:
I'm seeing a set of spam, with some very regular easily trapped
text in their headers/body, but with large PDF files that push
the size of the mail outside the 256K limit for running SA.
That's your limit. ;) The default for spamc is
!
The following PDF-Spam is passing through:
http://ghds.de/20070808074441242.eml.txt
System ist Debian Sarge with SA 3.1.7.
I'm already using:
PDFInfo 0.7
80_additional.cf
Anyone scoring over 5?
How to get it caught ?
Ove Starckjohann
--
View this message in context:
http
But funny thing, my SA can't filter PDF spam if it was sent in regular way. I
mean it passes it throught without scoring it. Yours was triggered as spam
when I checked it with:
spamassassin -t -D message.eml
Eugene
Starckjohann, Ove wrote:
Hi!
The following PDF-Spam is passing through
BODY: TVD_SPACE_RATIO
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
-0.9 AWLAWL: From: address is in the auto white-list
Eugene
Yet Another Ninja wrote:
On 8/8/2007 10:54 AM, Starckjohann, Ove wrote:
Hi!
The following PDF-Spam is passing
Hi!
The following PDF-Spam is passing through:
http://ghds.de/20070808074441242.eml.txt
System ist Debian Sarge with SA 3.1.7.
I'm already using:
PDFInfo 0.7
80_additional.cf
Anyone scoring over 5?
How to get it caught ?
Ove Starckjohann
On 8/8/2007 10:54 AM, Starckjohann, Ove wrote:
Hi!
The following PDF-Spam is passing through:
http://ghds.de/20070808074441242.eml.txt
System ist Debian Sarge with SA 3.1.7.
I'm already using:
PDFInfo 0.7
80_additional.cf
Anyone scoring over 5?
How to get it caught ?
With PDFinfo you can
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
Hey,
you can use the PDFInfo plugin for spamassassin
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesemporium.com/plugins.htm
Personally, I've been
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesemporium.com/plugins.htm
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesemporium.com/plugins.htm
On 7/19/2007 1:10 PM, Anders Norrbring wrote:
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
Yet Another Ninja skrev:
On 7/19/2007 1:10 PM, Anders Norrbring wrote:
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed
R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
On Thu, 19 Jul 2007 at 07:41 -0500, [EMAIL PROTECTED] confabulated:
R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium
On Thursday 19 July 2007, R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of
thing.
Gene Heskett skrev:
On Thursday 19 July 2007, R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind
On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote:
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Are you using sa-update?
--
Randomly Selected Tagline:
Shell programming can be a difficult lesson in frustration.
- Linux
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 19, 2007 11:06 AM
To: users@spamassassin.apache.org
Subject: Re: PDF spam
On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote:
i'm getting pdf attached spam. please help me stop that using
Hi!
Personally, I've been able to keep them under control with good bayes
training, automated training by spamtraps, and a selective greylist, so
I have not yet tried this plugin.
Plugin seems to work great, but is it stable enough for big production
environments ? Any issues ?
It sure is.
://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11669157
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On Wed, Jul 18, 2007 at 06:52:40AM -0700, nws.charlie wrote:
more as spam). Can anyone tell me if there is already a ruleset that I
should be using?
Run sa-update, there's a rule already in there.
--
Randomly Selected Tagline:
Human female: All in all. This is one day that mitten the kitten
On Wed, 18 Jul 2007, nws.charlie wrote:
I have noticed that 98% of the spam with pdf attachments is
being sent from Thunderbird. I wrote a few rules and added them to
my local.cf. Here is the main one that is working. I am catching
most of the spam with this. Does anyone see anything
nws.charlie wrote:
I am catching most of the spam with this. Does
anyone see anything negative about a rule like this?
header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i
full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i
metaLOCAL_PDF_VIA_THUNDERBIRD
/spamassassin/.. Do I misunderstand, or do we have something
configured wrong?
Thanks for your replies!
MW
Theo Van Dinter-2 wrote:
Run sa-update, there's a rule already in there.
--
View this message in context:
http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11674168
Sent
On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote:
automatically twice a day. The updates are happening as scheduled, and being
placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to
be ignoring the rules there.
Why do you say that? Does spamassassin --lint -D
://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11675276
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi, @ll
the newest version of pdfinfo plugin
matched some new pdf spam right now
* 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match
* 3D4E25DE4A05695681D694716D579474
well done !
- --
Mit freundlichen Gruessen
Best Regards
Robert
Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml
This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language. I've only found two of these so far.
From a technical point
At 12:49 05-07-2007, Chip M. wrote:
Here's a new style of PDF spam (recipient email address is munged):
[snip]
- uses application/octet-stream instead of application/pdf
as the Content-Type
From your sample:
Content-Type: application/octet-stream; name=Message.pdf
You could match
At 01:09 PM 7/5/2007 -0700, you wrote:
You could match on the application/octet-steam and the file
extension being .pdf.
Good idea, but sorry, I should have been clearer (my BIM):
I meant use that in COMBINATION with OTHER signs, mainly to detect the
difference between the two styles.
To clear
I receive quite a few legitimate pdf attachments - half of them are pdf type,
the
other half is octet-string
(but they are usually A4 paper size)
Wolfgang Hamann
Here's a new style of PDF spam (recipient email address is munged):
[snip]
- uses application/octet-stream instead
In today's SANS diary:
During the last two days, we've received continuous reports of new
PDF spam. This time the pages attached are generally of different
size each time (no longer A4, but 4x3 inch or 6x1 inch).
Might a non-standard-paper-size PDF attachment be worth a point?
--
John
Hi,
its come up several times now that people ask for a way to directly
detect pdf spam by the pdf content and not only through headers or other
means (hashes, bayes).
I've found a solution that should be pretty easy to realise in a
Fuzzy-OCR like plugin. Here is what it should do:
Use xpdf
arni wrote:
Hi,
its come up several times now that people ask for a way to directly
detect pdf spam by the pdf content and not only through headers or
other means (hashes, bayes).
I've found a solution that should be pretty easy to realise in a
Fuzzy-OCR like plugin. Here is what it should
51 matches
Mail list logo