R: R: Fake User-Agent on PDF

Marcello Anderlini m.anderlini at database.it
Mon Jul 2 13:33:38 IST 2007


Ok, I found my error, but it seems is not running and on my test system this
kind of spam still pass.
Someone else suggest to use an other plugin
http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta.

Does anyone has some other suggestion or rules to stop this spam ?

Realy thanks for your help

Best regards

-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Marcello
Anderlini
Inviato: lunedì 2 luglio 2007 14.11
A: 'MailScanner discussion'
Oggetto: R: R: Fake User-Agent on PDF

Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I
get this error.
Where's my error ?
Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf 

=================================
[28788] warn: config: SpamAssassin failed to parse line, no value provided
for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to
parse line, skipping, in
"/etc/mail/spamassassin/mailscanner.cf":
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
[28788] warn: config: warning: description exists for non-existent rule
PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule
PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug
enabled for more information =================================



-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Julian
Field
Inviato: lunedì 2 luglio 2007 12.00
A: MailScanner discussion
Oggetto: Re: R: Fake User-Agent on PDF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This one was published yesterday, which the author claims to work okay:

full            PDF_ONLY_SPAM   
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
describe        PDF_ONLY_SPAM   PDF only Message, no text in message body
score           PDF_ONLY_SPAM   2.0

Marcello Anderlini wrote:
> Sorry guys, but cause my poor English I'm not sure I've understood if
there
> is a good rules to block pdf spam.
> If there is, could someone publish one working ?
>
> Thanks to all for you kindly help.
>
> bye
>
> -----Messaggio originale-----
> Da: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di 
> Julian Field
> Inviato: sabato 30 giugno 2007 22.11
> A: MailScanner discussion
> Oggetto: Re: Fake User-Agent on PDF
>
>
> * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58
>
>
>
> Alex Broens wrote:
>   
>> On 6/30/2007 6:58 PM, Julian Field wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Hugo van der Kooij wrote:
>>>       
>>>> Hi,
>>>>
>>>> So far all SPAM PDF files that did not get killed on other issues 
>>>> seem to use a fake User-Agent header: User-Agent: Thunderbird
>>>> 1.5.0.12 (Windows/20070509)
>>>>
>>>> According to
>>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the 
>>>> release date is impossible however.
>>>>
>>>> I have not written a SA rule (yet). I wrote a detectline in my 
>>>> header checks of postfix:
>>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/    
>>>> REJECT    This is a fake version of Thunderbird
>>>>         
>>> Here's a SA rule that will do the same thing:
>>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 
>>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of 
>>> Thunderbird score JKF_FAKE_TBIRD 1.5
>>>
>>>       
>> Jules,
>>
>> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>>
>> forgot to escape periods?
>>     
> Yes, agreed. But it's not very important. A version of the rule that 
> accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird 
> version number! :-)
>
> Jules
>
>   

Jules

- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all
your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq
nX4ZfLalyxh7/YoIwS0eLKM=
=YumB
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
Messaggio verificato dal servizio antivirus di Database Informatica


-- 
Messaggio verificato dal servizio antivirus di Database Informatica

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


-- 
Messaggio verificato dal servizio antivirus di Database Informatica



More information about the MailScanner mailing list