Fake User-Agent on PDF
Alex Broens
ms-list at alexb.ch
Sat Jun 30 19:10:24 IST 2007
On 6/30/2007 6:58 PM, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Hugo van der Kooij wrote:
>> Hi,
>>
>> So far all SPAM PDF files that did not get killed on other issues seem
>> to use a fake User-Agent header: User-Agent: Thunderbird 1.5.0.12
>> (Windows/20070509)
>>
>> According to
>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the
>> release date is impossible however.
>>
>> I have not written a SA rule (yet). I wrote a detectline in my header
>> checks of postfix:
>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ REJECT
>> This is a fake version of Thunderbird
> Here's a SA rule that will do the same thing:
> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12
> \(Windows\/20070509\)/
> describe JKF_FAKE_TBIRD Fake version of Thunderbird
> score JKF_FAKE_TBIRD 1.5
>
Jules,
/Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
forgot to escape periods?
Alex
More information about the MailScanner
mailing list