Fake User-Agent on PDF

Alex Broens ms-list at alexb.ch
Sat Jun 30 19:10:24 IST 2007


On 6/30/2007 6:58 PM, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Hugo van der Kooij wrote:
>> Hi,
>>
>> So far all SPAM PDF files that did not get killed on other issues seem 
>> to use a fake User-Agent header: User-Agent: Thunderbird 1.5.0.12 
>> (Windows/20070509)
>>
>> According to 
>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the 
>> release date is impossible however.
>>
>> I have not written a SA rule (yet). I wrote a detectline in my header 
>> checks of postfix:
>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/    REJECT    
>> This is a fake version of Thunderbird
> Here's a SA rule that will do the same thing:
> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 
> \(Windows\/20070509\)/
> describe JKF_FAKE_TBIRD Fake version of Thunderbird
> score JKF_FAKE_TBIRD 1.5
> 

Jules,

/Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/

forgot to escape periods?

Alex



More information about the MailScanner mailing list