AW: Fake User-Agent on PDF -- WARNING!

Sun Jul 1 00:16:56 IST 2007

I wrote a very simple regex to catch the pdf-spams until other rules are
available (more than 15.000 pdf-spams today) ;-) 
The regex is not very fast but still works:

full     PDF_ONLY_SPAM
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
describe PDF_ONLY_SPAM   PDF only Message, no text in message body
score    PDF_ONLY_SPAM   1.0

This rule match only messages with specific encodings, pdf attachments and
no text in message body.
Works fine with no false positives until today.

Regards

Holger

-----Ursprüngliche Nachricht-----
Von: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Julian
Field
Gesendet: Samstag, 30. Juni 2007 23:18
An: MailScanner discussion
Betreff: Re: Fake User-Agent on PDF -- WARNING!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Turns out this is not an illegal version number at all, it's perfectly 
valid.
So I strongly advise against using any rule based on this version number :-(

bother :(

Jules.

Julian Field wrote:
> * PGP Signed: 06/30/07 at 21:10:58
>
>
>
> Alex Broens wrote:
>> On 6/30/2007 6:58 PM, Julian Field wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Hugo van der Kooij wrote:
>>>> Hi,
>>>>
>>>> So far all SPAM PDF files that did not get killed on other issues 
>>>> seem to use a fake User-Agent header: User-Agent: Thunderbird 
>>>> 1.5.0.12 (Windows/20070509)
>>>>
>>>> According to 
>>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the 
>>>> release date is impossible however.
>>>>
>>>> I have not written a SA rule (yet). I wrote a detectline in my 
>>>> header checks of postfix:
>>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/    
>>>> REJECT    This is a fake version of Thunderbird
>>> Here's a SA rule that will do the same thing:
>>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 
>>> \(Windows\/20070509\)/
>>> describe JKF_FAKE_TBIRD Fake version of Thunderbird
>>> score JKF_FAKE_TBIRD 1.5
>>>
>>
>> Jules,
>>
>> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>>
>> forgot to escape periods?
> Yes, agreed. But it's not very important. A version of the rule that 
> accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird 
> version number! :-)
>
> Jules
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGhsh7EfZZRxQVtlQRApDXAKCBXXaMud5aMvC5l6iiT6bj5JZc8ACgks5S
rMGjfeZFOyLwjmauVhOpqYc=
=kdEn
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 