On Fri, 2016-04-01 at 13:25 -0400, Alex wrote: > Hi all, > > Has anyone else seen an increase in PDF invoice spam with just a link > in it? The centurylink IP is now blacklisted, but obviously it wasn't > when this was received. The link contained in the PDF has also > already > been disabled, but obviously wasn't when this was received. > > I'd really appreciate ideas on how this one should be blocked: > > http://pastebin.com/g7dJ7SHu > > There's very little text in the body, so I suspect that's why bayes > is confused. PDF invoices and conversations involving "payment" and > "invoice" are not all that uncommon. > True, but this type of spam often contains odd or somewhat archaic phrases. I find that a local rule that fires when it sees such a phrase and a dangerous attachment type detects them quite nicely.
Martin
