A clickable picture should trigger a web client only if the pdf contains a script for this action, which you can detect using clamav.
-------- Original Message -------- On Jun 4, 2021, 08:19, Benoît Panizzon < benoit.paniz...@imp.ch> wrote: Hi Gang In the last couple of weeks, I have seen a lot of spam mails containing just one single PDF, hardly any other text. That PDF again contains a clickable picture leading to some phishing site or similar. Of course the URL in the PDF is not being checked against URI Blacklists. Also creating a rule to match PDF attachment and little text would create way too many false positives, as sending 'PDF Emails' seems to be something quite common. So I wonder if someone already came up with a AS plugin to extract links from a PDF and check them against URI blacklists. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
