R: Fake User-Agent on PDF

Holger Gebhard holger at gebhardweb.de
Mon Jul 2 15:42:54 IST 2007 

Try this rule...

It is a very simple regex to catch the pdf-spams until other rules are 
available.
The regex is not very fast but still works:


full     PDF_ONLY_SPAM 
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is
describe PDF_ONLY_SPAM   PDF only Message, no text in message body
score    PDF_ONLY_SPAM    1.0 "or whatever you want..."


This rule match only messages with specific encodings, pdf attachments and 
no text in message body.
Works fine with no false positives until today.


Regards

Holger

----- Original Message ----- 
From: "Marcello Anderlini" <m.anderlini at database.it>
To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
Sent: Monday, July 02, 2007 2:33 PM
Subject: R: R: Fake User-Agent on PDF


Ok, I found my error, but it seems is not running and on my test system this
kind of spam still pass.
Someone else suggest to use an other plugin
http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta.

Does anyone has some other suggestion or rules to stop this spam ?

Realy thanks for your help

Best regards

-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Marcello
Anderlini
Inviato: lunedì 2 luglio 2007 14.11
A: 'MailScanner discussion'
Oggetto: R: R: Fake User-Agent on PDF

Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I
get this error.
Where's my error ?
Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf

=================================
[28788] warn: config: SpamAssassin failed to parse line, no value provided
for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to
parse line, skipping, in
"/etc/mail/spamassassin/mailscanner.cf":
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
[28788] warn: config: warning: description exists for non-existent rule
PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule
PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug
enabled for more information =================================



-----Messaggio originale-----
Da: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di Julian
Field
Inviato: lunedì 2 luglio 2007 12.00
A: MailScanner discussion
Oggetto: Re: R: Fake User-Agent on PDF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This one was published yesterday, which the author claims to work okay:

full            PDF_ONLY_SPAM
/encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam
e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/
is
describe        PDF_ONLY_SPAM   PDF only Message, no text in message body
score           PDF_ONLY_SPAM   2.0

Marcello Anderlini wrote:
> Sorry guys, but cause my poor English I'm not sure I've understood if
there
> is a good rules to block pdf spam.
> If there is, could someone publish one working ?
>
> Thanks to all for you kindly help.
>
> bye
>
> -----Messaggio originale-----
> Da: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] Per conto di
> Julian Field
> Inviato: sabato 30 giugno 2007 22.11
> A: MailScanner discussion
> Oggetto: Re: Fake User-Agent on PDF
>
>
> * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58
>
>
>
> Alex Broens wrote:
>
>> On 6/30/2007 6:58 PM, Julian Field wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Hugo van der Kooij wrote:
>>>
>>>> Hi,
>>>>
>>>> So far all SPAM PDF files that did not get killed on other issues
>>>> seem to use a fake User-Agent header: User-Agent: Thunderbird
>>>> 1.5.0.12 (Windows/20070509)
>>>>
>>>> According to
>>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the
>>>> release date is impossible however.
>>>>
>>>> I have not written a SA rule (yet). I wrote a detectline in my
>>>> header checks of postfix:
>>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/
>>>> REJECT    This is a fake version of Thunderbird
>>>>
>>> Here's a SA rule that will do the same thing:
>>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12
>>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of
>>> Thunderbird score JKF_FAKE_TBIRD 1.5
>>>
>>>
>> Jules,
>>
>> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>>
>> forgot to escape periods?
>>
> Yes, agreed. But it's not very important. A version of the rule that
> accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird
> version number! :-)
>
> Jules
>
>

Jules

- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all
your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq
nX4ZfLalyxh7/YoIwS0eLKM=
=YumB
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
Messaggio verificato dal servizio antivirus di Database Informatica


-- 
Messaggio verificato dal servizio antivirus di Database Informatica

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!


-- 
Messaggio verificato dal servizio antivirus di Database Informatica

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list