Re: PDF spam solutions

Robert LeBlanc wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Like the rest of you, I'm sure, I've been receiving a
glut of PDF spam
> lately, and I've been experimenting with various
tactics for 
> curbing the
> onslaught.  Some tactics work better than others,
naturally, so I
> thought I'd share my results here.
> 
> 
> (1) SpamAssassin core rules
> 
> To deal with PDF spam, the SpamAssassin developers
added a 
> new core rule
> called TVD_PDF_FINGER01, which identifies emails that
have 
> empty bodies
> but contain PDF attachments.  It works well, but its
default score of
> 1.0 is too low to make it the only tool for the job. 
Increasing the
> score isn't really a good idea, though, since a lot of
business users
> regularly send PDF attachments with empty mail bodies,
and this could
> lead to false positives in a hurry.
> 
> You can certainly get this new rule for any version of
SpamAssassin
> (newer than 3.1.1) using sa-update, but now that the
3.2.x series
> appears to have stabilized I'd also recommend that you

> upgrade to 3.2.3
> to take advantage of the latest rulesets.

I'm not finding this core rule on my system, and am
wondering what I'm doing
incorrectly. I'm running SpamAssassin 3.1.8_1 from ports on
FreeBSD, and I
run sa-update with the following channels:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net


I'll be upgrading to 3.2.3 soonish, but wanted to know how
to get this going
in the interim.

I'm also going to be implementing the sanesecurity sigs for
clamav - that
should be really helpful too.

Kurt



  

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Buff wrote:

> I'm not finding this core rule on my system, and am
wondering what I'm doing
> incorrectly. I'm running SpamAssassin 3.1.8_1 from
ports on FreeBSD, and I
> run sa-update with the following channels:

My mistake; the TVD_PDF_FINGER01 rule is only available in
the 3.2.x
series, as it relies on the new MIMEHeader plugin that was
introduced in
3.2.0.


> I'm also going to be implementing the sanesecurity sigs
for clamav - that
> should be really helpful too.

Yes, I'd strongly recommend that--it works amazingly well!


- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGxY75GmqOER2NHewRAscyAJ44PyPaRpDAwALQiq4Xw6lfe3rxBQCg
nc+d
Ytp5T/ITJVrGhSk7snL7GdM=
=7cln
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users