Hi, On Tue, Aug 22, 2017 at 8:46 PM, Dianne Skoll <d...@roaringpenguin.com> wrote: > On Tue, 22 Aug 2017 20:19:06 -0400 > Alex <mysqlstud...@gmail.com> wrote: > >> > Take a look at podofopdfinfo. It can extract URLs from PDF docs >> > and you can trigger on those. > >> Thank you. It didn't work on this one :-( > > It worked for me: > > $ podofopdfinfo pdf-phish.pdf > Document Info > ------------- > File: pdf-phish.pdf > PDF Version: 1.5 > [,,, much output deleted ...] > > Annotation 0 > [,,, much output deleted ...] > > Link Target: 1 > Action URI: http://dabanlar.com/west/scan.html
Ah, thank you. I used podofotxtextract. John wrote: >> Are there any current solutions for those of us with spamassassin and >> amavisd? > clamav? It's too slow to react, particularly when the PDFs are written specifically to reach a domain. Sometimes the PDF will never be detected by any of the antivirus scanners because of this. Of course I'm further analyzing the other characteristics of the message to build rules to stop them the next time, but this is still after two emails were received with this PDF, each of which had like 40 recips. It only took a slight adjustment to my custom rules to block these for next time, but an additional advantage with being able to process the URLs would be nice. >> I also don't see a way to use it with amavisd. > > Right. I use MIMEDefang which is a little more flexible in how you > glue the bits and pieces together. > >> "strings" was able to extract the URL. > > That works this time, but generally speaking, PDF documents may be > compressed in which case "strings" won't be useful. > > I reported the URL to Google as fraudulent. Thank you. What other steps can be taken with more of an automated approach? Would a plugin that does a reverse lookup on the domain then check the various RBLs be conceivable? Or would you somehow re-inject the URL back into SA somehow? How much programming is involved with doing something like this?
