Hi, all.
From: "Mike Cisar" <[EMAIL PROTECTED]>
Subject: fdf spam
Date: Fri, 10 Aug 2007 09:10:26 -0600
> Has anyone else been seeing the empty-body "PDF" spam, but with a .fdf file
> extension. Had a whole pile in my inbox here this morning.
>
> Cheers,
> >>>>> Mike <<<<<
Here are 2 rules for detecting pdf spams.
full NULLTXTPDF /(\n(?:-{12,}0\d{22,}|--={19,}_\d{6,}==_)\n)Content-Type:
text\/plain; charset=\"{0,1}[\w-]{5,}\"{0,1};
format=flowed(?:\nContent-Transfer-Encoding: 7bit){0,1}\n{2,}\1Content-Type:
application\/(?:pdf|octet-stream);(?:\n| name=\")/
full HTMLPDF
/(-{6}=_NextPart_000_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\nContent-Type:
multipart\/alternative;\n.boundary=\"(----=_NextPart_001_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\"\n\n\n--\2\nContent-Type:
text\/plain;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding:
quoted-printable\n\n\n--\2\nContent-Type:
text\/html;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding:
quoted-printable\n\n(?:.+\n){5}<STYLE><\/STYLE>\n.+\n.+\n<DIV><FONT
face=3DArial
size=3D2><\/FONT> <\/DIV><\/BODY><\/HTML>\n\n--\2--\n\n\1\nContent-Type:
application\/(?:pdf|octet-stream);/
Enjoy. ;-)
--
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)
