R: Fake User-Agent on PDF
Marcello Anderlini
m.anderlini at database.it
Mon Jul 2 10:51:38 IST 2007
Sorry guys, but cause my poor English I'm not sure I've understood if there
is a good rules to block pdf spam.
If there is, could someone publish one working ?
Thanks to all for you kindly help.
bye
-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Julian
Field
Inviato: sabato 30 giugno 2007 22.11
A: MailScanner discussion
Oggetto: Re: Fake User-Agent on PDF
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex Broens wrote:
> On 6/30/2007 6:58 PM, Julian Field wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Hugo van der Kooij wrote:
>>> Hi,
>>>
>>> So far all SPAM PDF files that did not get killed on other issues
>>> seem to use a fake User-Agent header: User-Agent: Thunderbird
>>> 1.5.0.12 (Windows/20070509)
>>>
>>> According to
>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the
>>> release date is impossible however.
>>>
>>> I have not written a SA rule (yet). I wrote a detectline in my
>>> header checks of postfix:
>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/
>>> REJECT This is a fake version of Thunderbird
>> Here's a SA rule that will do the same thing:
>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12
>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of
>> Thunderbird score JKF_FAKE_TBIRD 1.5
>>
>
> Jules,
>
> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>
> forgot to escape periods?
Yes, agreed. But it's not very important. A version of the rule that
accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird
version number! :-)
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1
wj8DBQFGhrjSEfZZRxQVtlQRAu2EAJ4igl0/TOETgNqILIWWqerSAay5SACfZR/P
EWRfPaZ8ae4+/Ev/3Iyy6Qs=
=ckQ6
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
Messaggio verificato dal servizio antivirus di Database Informatica
--
Messaggio verificato dal servizio antivirus di Database Informatica
More information about the MailScanner
mailing list