Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

New PDF?

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


lists at webtent

Jul 21, 2007, 3:52 PM

Post #1 of 4 (264 views)
Permalink
New PDF?
I have a few PDF's getting through now after doing pretty good, the
latest 0.4 pdfinfo + sa 3.1.7 + sare rules + sa-update is not scoring
enough on these:

http://esmtp.webtent.net/mail1.txt
http://esmtp.webtent.net/mail2.txt

Do I need to tweak my rules scores to catch or is someone else able to
block these otherwise? All of these seem to hit the same two rules,
would it be OK to test for only those two rules and block or raise their
score, or would that hit too much ham?

0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint

--
Robert


felicity at apache

Jul 21, 2007, 4:00 PM

Post #2 of 4 (229 views)
Permalink
Re: New PDF? [In reply to]
On Sat, Jul 21, 2007 at 06:52:14PM -0400, WebTent wrote:
> Do I need to tweak my rules scores to catch or is someone else able to
> block these otherwise? All of these seem to hit the same two rules,
> would it be OK to test for only those two rules and block or raise their
> score, or would that hit too much ham?
>
> 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
> 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint

I don't know what the first rule is so have no information about its hit
rates. The second one hits 0 ham in the SA nightly test runs. If you aren't
likely to receive legit mails in a similar format, feel free to up that score.

--
Randomly Selected Tagline:
"I left it unlocked overnight, and it was finally stolen. The insurance
check paid for a textbook." - Unknown about the Renault LeCar


dallase at uribl

Jul 22, 2007, 7:12 PM

Post #3 of 4 (224 views)
Permalink
Re: New PDF? [In reply to]
WebTent wrote:
> I have a few PDF's getting through now after doing pretty good, the
> latest 0.4 pdfinfo + sa 3.1.7 + sare rules + sa-update is not scoring
> enough on these:
>
>

Current version is v0.6. And sigs for those were added last
Thursday...

> http://esmtp.webtent.net/mail1.txt
>

* 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
* 2.0 GMD_PDF_FUZZY2_T11 BODY: Fuzzy tags Match
* 5A4CB7600371063164BB7AFA6EDE7FE9
* 0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body
* 3.0 GMD_PDF_STOX_M4 PDF Stox spam

> http://esmtp.webtent.net/mail2.txt
>
>
* 2.0 GMD_PDF_FUZZY2_T9 BODY: Fuzzy tags Match
* 875C8F0810E6524EF0C3A7C4221A4C28
* 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted
* 0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body
* 3.0 GMD_PDF_STOX_M4 PDF Stox spam

--
Dallas Engelken
dallase [at] uribl
http://uribl.com


dave-sa at pooserville

Jul 22, 2007, 7:54 PM

Post #4 of 4 (223 views)
Permalink
Re: New PDF? [In reply to]
> Current version is v0.6. And sigs for those were added last
> Thursday...

The web page at <http://www.rulesemporium.com/plugins.htm> still identifies
it as 0.4 with a mod date 0f July 16, FYI. The linked file is 0.6, though.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.