Fake User-Agent on PDF -- WARNING!

[Hugo van der Kooij]

On Sun, 1 Jul 2007, Glenn Steen wrote:

> On 01/07/07, Hugo van der Kooij <hvdkooij at vanderkooij.org> wrote:
>>  On Sat, 30 Jun 2007, Julian Field wrote:
>> 
>> >  Turns out this is not an illegal version number at all, it's perfectly
>> >  valid.
>> >  So I strongly advise against using any rule based on this version number 
>> >  :-(
>> > 
>> >  bother :(
>>
>>  It just is an odd combination of a version with a timestamp 20070509 and a
>>  release date online of 2007-05-30. It is a sure thing to put someone off
>>  like that.
>>
>>  Common guys. No messing with my birthday.
> You're quite an advanced admin/user for a newborn....:-D.
>
> Have you done any form  of count on the occurance of this suspect
> combo? You mentioned not having counted/checked them all IIRC.

The odd thing was that relative few of the SPAM message are left between 
spam and high spam. Those get side tracked. These were all messages 
containing PDF files and originating from all over the world. Including a 
correctly signed gmail one but they all contained the same User-Agent.

I then checked the release notes for TB 1.5.0.12 and noticed it was only 
released a month ago. But the date stamp in the header seems to indicate 
the version is weeks older. Which to me sounded very much like foul play.

There is still foul play at hand or I would not get these SPAM messages to 
non existing users.(that is I did ad adam@, anna@, .... to a trapdoor 
account as it is abused a lot while there were never such accounts here.) 
But it is more likely that some backdoor is using TB to do the dirty work.

Hugo.

-- 
 	hvdkooij at vanderkooij.org	http://hugo.vanderkooij.org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say "Windows"
 	I use computers with Linux and say "Why Windows?"
 		(Thanks JFK, for the insight.)