On Fri, 2007-07-13 at 12:28 -0400, Robert Fitzpatrick wrote: > Just verified a couple of PDF attachments getting through with our > PDFInfo rules. Can someone test these to see if my PDF rules are working > or if you're able to block? I believe the rules are working as the > latter message is hitting one, just not enough to block. I tried my > access to the PDFInfo link sent to me by the webmaster to see if there > was an update, but it is not working now :(
running pdfinfo 0.3, I see the first one being analyzed, but not stopped
by the pdfinfo rule:
[22374] dbg: pdfinfo: Filename=Unpaid-ysqupuubxeq.pdf Title=untitled
Author=unknown Producer=unknown Created=0 Modified=0
[22374] dbg: pdfinfo: MD5 results for Unpaid-ysqupuubxeq.pdf -
md5=F923904B32BA5534E77C65A2651661D4
fuzzy1=0C751FC7A604AB836B4A10B63BB1449D
fuzzy2=1AF87ABAF88F3C2A80577BE2E3A5886E
[22374] dbg: pdfinfo: Found a PDF file - Unpaid-ysqupuubxeq.pdf
...
X-Spam-Status: No, score=3.4 required=5.0 tests=BOTNET_CLIENT,
BOTNET_IPINHOSTNAME,BOTNET_OTHER,DKIM_POLICY_SIGNSOME,RELAY_US,
TVD_SPACE_RATIO autolearn=disabled version=3.2.1
Botnet probably would have killed this off on my system, but since my
botnet is tied to p0f and I don't have any fingerprint data it won't hit
those rules...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
