Alex,
>> What is the name of the plugin you're referring to? It's not PDFInfo,
>> correct?
It's called Pdf.pm (note the unusual capitalization) or PDFassassin and
starts with something saying:
# PDF scan, inspired by Ocr.pm
# For more details see
# http://blog.atmail.com/?p=61
I cannot remem
Am 04.04.2016 um 01:18 schrieb Martin Gregorie:
On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote:
Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
None of these file extensions appear in my dangerous attachments
rule.
Maybe .DOC should be included, but it isn't and I simply don't
remem
On Sun, 2016-04-03 at 17:42 -0400, Alex wrote:
>
> Do you have any rules for your fake invoice detection (perhaps
> pseudocode?) that you'd like to share?
>
Not as concrete rules, partly because, just as everybody's spam streams
are different, so my specific rules probably won't work for your spa
On Sun, 2016-04-03 at 21:01 +0200, Reindl Harald wrote:
>
>
> Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
> >
> >
> > None of these file extensions appear in my dangerous attachments
> > rule.
> > Maybe .DOC should be included, but it isn't and I simply don't
> > remember
> > if MSWord supp
with the smallest modification, it becomes
ineffective. It's also always chasing something after the fact.
I also wouldn't expect that exact phrase to hit very many times in
your archive because there are just so many possible variations. I
only said it was common language, not that it&#
Am 03.04.2016 um 20:56 schrieb Martin Gregorie:
None of these file extensions appear in my dangerous attachments rule.
Maybe .DOC should be included, but it isn't and I simply don't remember
if MSWord supported macros back then (2004)
MS word supports macros for more than a decade
with OOXML
On Sun, 2016-04-03 at 09:47 -0400, Alex wrote:
> Hi,
>
> >
> > >
> > > There's very little text in the body, so I suspect that's why
> > > bayes
> > > is confused. PDF invoices and conversations involving "payment"
> > > and
> > > "invoice" are not all that uncommon.
> > >
> > True, but this ty
Hi,
>> There's very little text in the body, so I suspect that's why bayes
>> is confused. PDF invoices and conversations involving "payment" and
>> "invoice" are not all that uncommon.
>>
> True, but this type of spam often contains odd or somewhat archaic
> phrases. I find that a local rule that
On 1 Apr 2016, at 13:25, Alex wrote:
> There's very little text in the body, so I suspect that's why bayes is
> confused. PDF invoices and conversations involving "payment" and
> "invoice" are not all that uncommon.
Ones which aren't sent to anyone in particular are quite rare.
(but since I just
Alex,
> Has anyone else seen an increase in PDF invoice spam with just a link
> in it? The centurylink IP is now blacklisted, but obviously it wasn't
> when this was received. The link contained in the PDF has also already
> been disabled, but obviously wasn't when this was received.
>
> I'd reall
> On Apr 1, 2016, at 4:11 PM, Martin Gregorie wrote:
>
> On Fri, 2016-04-01 at 13:25 -0400, Alex wrote:
>> Hi all,
>>
>> Has anyone else seen an increase in PDF invoice spam with just a link
>> in it? The centurylink IP is now blacklisted, but obviously it wasn't
>> when this was received. The
On Fri, 2016-04-01 at 13:25 -0400, Alex wrote:
> Hi all,
>
> Has anyone else seen an increase in PDF invoice spam with just a link
> in it? The centurylink IP is now blacklisted, but obviously it wasn't
> when this was received. The link contained in the PDF has also
> already
> been disabled, but
Hi all,
Has anyone else seen an increase in PDF invoice spam with just a link
in it? The centurylink IP is now blacklisted, but obviously it wasn't
when this was received. The link contained in the PDF has also already
been disabled, but obviously wasn't when this was received.
I'd really appreci
On Thu, 2009-09-03 at 11:20 -0400, Charles Gregory wrote:
> I'm seeing a set of spam, with some very regular easily trapped
> text in their headers/body, but with large PDF files that push
> the size of the mail outside the 256K limit for running SA.
That's your limit. ;) The default for spamc is
On Thu, 3 Sep 2009, Charles Gregory wrote:
I'm seeing a set of spam, with some very regular easily trapped text in
their headers/body, but with large PDF files that push the size of the
mail outside the 256K limit for running SA.
Anyone have any experience raising that limit? How high can we
I'm seeing a set of spam, with some very regular easily trapped
text in their headers/body, but with large PDF files that push
the size of the mail outside the 256K limit for running SA.
Anyone have any experience raising that limit? How high can we
go before it really starts to impact performan
BODY: TVD_SPACE_RATIO
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
-0.9 AWLAWL: From: address is in the auto white-list
Eugene
Yet Another Ninja wrote:
>
> On 8/8/2007 10:54 AM, Starckjohann, Ove wrote:
>> Hi!
>>
>> T
But funny thing, my SA can't filter PDF spam if it was sent in regular way. I
mean it passes it throught without scoring it. Yours was triggered as spam
when I checked it with:
spamassassin -t -D < message.eml
Eugene
Starckjohann, Ove wrote:
>
> Hi!
>
> The following
>
> Hi!
>
> The following PDF-Spam is passing through:
>
> http://ghds.de/20070808074441242.eml.txt
>
> System ist Debian Sarge with SA 3.1.7.
> I'm already using:
> PDFInfo 0.7
> 80_additional.cf
>
> Anyone scoring over 5?
> How to get it caught
On 8/8/2007 10:54 AM, Starckjohann, Ove wrote:
Hi!
The following PDF-Spam is passing through:
http://ghds.de/20070808074441242.eml.txt
System ist Debian Sarge with SA 3.1.7.
I'm already using:
PDFInfo 0.7
80_additional.cf
Anyone scoring over 5?
How to get it caught ?
With PDFinfo yo
Hi!
The following PDF-Spam is passing through:
http://ghds.de/20070808074441242.eml.txt
System ist Debian Sarge with SA 3.1.7.
I'm already using:
PDFInfo 0.7
80_additional.cf
Anyone scoring over 5?
How to get it caught ?
Ove Starckjohann
Hi!
Personally, I've been able to keep them under control with good bayes
training, automated training by spamtraps, and a selective greylist, so
I have not yet tried this plugin.
Plugin seems to work great, but is it stable enough for big production
environments ? Any issues ?
It sure is.
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 19, 2007 11:06 AM
To: users@spamassassin.apache.org
Subject: Re: PDF spam
On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote:
> i'm getting pdf attached spam. please help me stop th
On Thu, Jul 19, 2007 at 12:50:05PM +0530, Tarak Ranjan wrote:
> i'm getting pdf attached spam. please help me stop that using
> spamassassin...
Are you using sa-update?
--
Randomly Selected Tagline:
"Shell programming can be a difficult lesson in frustration."
- Linux Refer
Gene Heskett skrev:
On Thursday 19 July 2007, R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind o
Matt Kettler wrote:
> Tarak Ranjan wrote:
>> greetings,
>> i'm getting pdf attached spam. please help me stop that using
>> spamassassin...
>>
>> Horacio_FILE_506292_6906.pdf
>>
>> /tarak
>>
>>
> The PDFInfo plugin from rulesemporium is designed for this kind of
> thing.
>
> http://www.rulese
On Thursday 19 July 2007, R.Smits wrote:
>Matt Kettler wrote:
>> Tarak Ranjan wrote:
>>> greetings,
>>> i'm getting pdf attached spam. please help me stop that using
>>> spamassassin...
>>>
>>> Horacio_FILE_506292_6906.pdf
>>>
>>> /tarak
>>
>> The PDFInfo plugin from rulesemporium is designed for t
On Thu, 19 Jul 2007 at 07:41 -0500, [EMAIL PROTECTED] confabulated:
R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium
R.Smits wrote:
Matt Kettler wrote:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesem
Yet Another Ninja skrev:
On 7/19/2007 1:10 PM, Anders Norrbring wrote:
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed fo
On 7/19/2007 1:10 PM, Anders Norrbring wrote:
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
ht
Matt Kettler wrote:
> Tarak Ranjan wrote:
>> greetings,
>> i'm getting pdf attached spam. please help me stop that using
>> spamassassin...
>>
>> Horacio_FILE_506292_6906.pdf
>>
>> /tarak
>>
>>
> The PDFInfo plugin from rulesemporium is designed for this kind of thing.
>
> http://www.rulesemp
Matt Kettler skrev:
Tarak Ranjan wrote:
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesemporium.com/plugins.htm
Persona
Tarak Ranjan wrote:
> greetings,
> i'm getting pdf attached spam. please help me stop that using
> spamassassin...
>
> Horacio_FILE_506292_6906.pdf
>
> /tarak
>
>
The PDFInfo plugin from rulesemporium is designed for this kind of thing.
http://www.rulesemporium.com/plugins.htm
Personally, I've
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tarak Ranjan wrote:
> greetings,
> i'm getting pdf attached spam. please help me stop that using
> spamassassin...
>
> Horacio_FILE_506292_6906.pdf
>
> /tarak
>
Hey,
you can use the PDFInfo plugin for spamassassin
(http://www.rulesemporium.com/pl
greetings,
i'm getting pdf attached spam. please help me stop that using
spamassassin...
Horacio_FILE_506292_6906.pdf
/tarak
nt
these rules from working, right?
Thanks again.
--
View this message in context:
http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11675276
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote:
> automatically twice a day. The updates are happening as scheduled, and being
> placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to
> be ignoring the rules there.
Why do you say that? Does "spamassassin --lint -
/spamassassin/.. Do I misunderstand, or do we have something
configured wrong?
Thanks for your replies!
MW
Theo Van Dinter-2 wrote:
>
>
> Run sa-update, there's a rule already in there.
>
>
--
View this message in context:
http://www.nabble.com/Catching-.pdf-Spam-tf41
nws.charlie wrote:
I am catching most of the spam with this. Does
anyone see anything negative about a rule like this?
header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i
full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i
metaLOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_TH
On Wed, 18 Jul 2007, nws.charlie wrote:
> I have noticed that 98% of the spam with pdf attachments is
> being sent from Thunderbird. I wrote a few rules and added them to
> my local.cf. Here is the main one that is working. I am catching
> most of the spam with this. Does anyone see anything neg
On Wed, Jul 18, 2007 at 06:52:40AM -0700, nws.charlie wrote:
> more as spam). Can anyone tell me if there is already a ruleset that I
> should be using?
Run sa-update, there's a rule already in there.
--
Randomly Selected Tagline:
Human female: "All in all. This is one day that mitten the kitte
context:
http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11669157
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi, @ll
the newest version of pdfinfo plugin
matched some new pdf spam right now
* 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match
* 3D4E25DE4A05695681D694716D579474
well done !
- --
Mit freundlichen Gruessen
Best Regards
Robert
I receive quite a few legitimate pdf attachments - half of them are pdf type,
the
other half is octet-string
(but they are usually A4 paper size)
Wolfgang Hamann
>> >Here's a new style of PDF spam (recipient email address is munged):
>>
>> [snip]
>>
>&g
At 01:09 PM 7/5/2007 -0700, you wrote:
>You could match on the "application/octet-steam" and the file
>extension being ".pdf".
Good idea, but sorry, I should have been clearer (my BIM):
I meant use that in COMBINATION with OTHER signs, mainly to detect the
difference between the two styles.
To c
At 12:49 05-07-2007, Chip M. wrote:
Here's a new style of PDF spam (recipient email address is munged):
[snip]
- uses "application/octet-stream" instead of "application/pdf"
as the Content-Type
From your sample:
Content-Type: application/octet-stream; name
Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml
This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language. I've only found two of these so far.
>From a te
In today's SANS diary:
During the last two days, we've received continuous reports of new
PDF spam. This time the pages attached are generally of different
size each time (no longer A4, but 4x3 inch or 6x1 inch).
Might a non-standard-paper-size PDF attachment be worth a point?
arni wrote:
Hi,
its come up several times now that people ask for a way to directly
detect pdf spam by the pdf content and not only through headers or
other means (hashes, bayes).
I've found a solution that should be pretty easy to realise in a
Fuzzy-OCR like plugin. Here is what it s
Hi,
its come up several times now that people ask for a way to directly
detect pdf spam by the pdf content and not only through headers or other
means (hashes, bayes).
I've found a solution that should be pretty easy to realise in a
Fuzzy-OCR like plugin. Here is what it should do:
Use
51 matches
Mail list logo
