Fake User-Agent on PDF -- WARNING!

Julian Field MailScanner at ecs.soton.ac.uk
Sat Jun 30 22:17:46 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Turns out this is not an illegal version number at all, it's perfectly 
valid.
So I strongly advise against using any rule based on this version number :-(

bother :(

Jules.

Julian Field wrote:
> * PGP Signed: 06/30/07 at 21:10:58
>
>
>
> Alex Broens wrote:
>> On 6/30/2007 6:58 PM, Julian Field wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Hugo van der Kooij wrote:
>>>> Hi,
>>>>
>>>> So far all SPAM PDF files that did not get killed on other issues 
>>>> seem to use a fake User-Agent header: User-Agent: Thunderbird 
>>>> 1.5.0.12 (Windows/20070509)
>>>>
>>>> According to 
>>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the 
>>>> release date is impossible however.
>>>>
>>>> I have not written a SA rule (yet). I wrote a detectline in my 
>>>> header checks of postfix:
>>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/    
>>>> REJECT    This is a fake version of Thunderbird
>>> Here's a SA rule that will do the same thing:
>>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 
>>> \(Windows\/20070509\)/
>>> describe JKF_FAKE_TBIRD Fake version of Thunderbird
>>> score JKF_FAKE_TBIRD 1.5
>>>
>>
>> Jules,
>>
>> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/
>>
>> forgot to escape periods?
> Yes, agreed. But it's not very important. A version of the rule that 
> accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird 
> version number! :-)
>
> Jules
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGhsh7EfZZRxQVtlQRApDXAKCBXXaMud5aMvC5l6iiT6bj5JZc8ACgks5S
rMGjfeZFOyLwjmauVhOpqYc=
=kdEn
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list