R: R: Fake User-Agent on PDF

Marcello Anderlini m.anderlini at database.it
Mon Jul 2 13:11:28 IST 2007 

Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I
get this error.
Where's my error ?
Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf 

=================================
[28788] warn: config: SpamAssassin failed to parse line, no value provided
for "full", skipping: full PDF_ONLY_SPAM
[28788] warn: config: failed to parse line, skipping, in
"/etc/mail/spamassassin/mailscanner.cf":
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
[28788] warn: config: warning: description exists for non-existent rule
PDF_ONLY_SPAM
[28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM
[28788] warn: lint: 4 issues detected, please rerun with debug enabled for
more information
=================================



-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Julian
Field
Inviato: lunedì 2 luglio 2007 12.00
A: MailScanner discussion
Oggetto: Re: R: Fake User-Agent on PDF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This one was published yesterday, which the author claims to work okay:

full            PDF_ONLY_SPAM   
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
describe        PDF_ONLY_SPAM   PDF only Message, no text in message body
score           PDF_ONLY_SPAM   2.0

Marcello Anderlini wrote:
> Sorry guys, but cause my poor English I'm not sure I've understood if
there
> is a good rules to block pdf spam.
> If there is, could someone publish one working ?
>
> Thanks to all for you kindly help.
>
> bye 
>
> -----Messaggio originale-----
> Da: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Julian
> Field
> Inviato: sabato 30 giugno 2007 22.11
> A: MailScanner discussion
> Oggetto: Re: Fake User-Agent on PDF
>
>
> * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58
>
>
>
> Alex Broens wrote:
>   
>> On 6/30/2007 6:58 PM, Julian Field wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Hugo van der Kooij wrote:
>>>       
>>>> Hi,
>>>>
>>>> So far all SPAM PDF files that did not get killed on other issues 
>>>> seem to use a fake User-Agent header: User-Agent: Thunderbird
>>>> 1.5.0.12 (Windows/20070509)
>>>>
>>>> According to
>>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the 
>>>> release date is impossible however.
>>>>
>>>> I have not written a SA rule (yet). I wrote a detectline in my 
>>>> header checks of postfix:
>>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/    
>>>> REJECT    This is a fake version of Thunderbird
>>>>         
>>> Here's a SA rule that will do the same thing:
>>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 
>>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of 
>>> Thunderbird score JKF_FAKE_TBIRD 1.5
>>>
>>>       
>> Jules,
>>
>> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>>
>> forgot to escape periods?
>>     
> Yes, agreed. But it's not very important. A version of the rule that 
> accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird 
> version number! :-)
>
> Jules
>
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq
nX4ZfLalyxh7/YoIwS0eLKM=
=YumB
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
Messaggio verificato dal servizio antivirus di Database Informatica


-- 
Messaggio verificato dal servizio antivirus di Database Informatica

More information about the MailScanner mailing list