> On Apr 1, 2016, at 4:11 PM, Martin Gregorie <mar...@gregorie.org> wrote: > > On Fri, 2016-04-01 at 13:25 -0400, Alex wrote: >> Hi all, >> >> Has anyone else seen an increase in PDF invoice spam with just a link >> in it? The centurylink IP is now blacklisted, but obviously it wasn't >> when this was received. The link contained in the PDF has also >> already >> been disabled, but obviously wasn't when this was received. >> >> I'd really appreciate ideas on how this one should be blocked: >> >> http://pastebin.com/g7dJ7SHu >> >> There's very little text in the body, so I suspect that's why bayes >> is confused. PDF invoices and conversations involving "payment" and >> "invoice" are not all that uncommon. >> > True, but this type of spam often contains odd or somewhat archaic > phrases. I find that a local rule that fires when it sees such a phrase > and a dangerous attachment type detects them quite nicely.
I’m catching these at the ClamAV stage with the “unofficial sigs” package. It’s been working really well - I have mailboxes with/without the extra ClamAV sigs and the difference is huge. Charles > > Martin
