antispamsniper.com Forum Index antispamsniper.com
The reliable anti-spam protection
 
 FAQFAQ   SearchSearch     ProfileProfile   Log inLog in   RegisterRegister 

Spam in PDF attachments

 
Post new topic   Reply to topic    antispamsniper.com Forum Index -> AntispamSniper for TheBat!
View previous topic :: View next topic  
Author Message
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Mon Jul 16, 2007 10:30 pm    Post subject: Spam in PDF attachments Reply with quote

Hi!

I'm receiving a lot of mails with only one PDF with spam. With The Bat! I have no problems because it's not displayed by default and I don't see any text, but I got the mail on my Inbox.

Sure I'm not the only one.
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Tue Jul 17, 2007 8:26 am    Post subject: Re: Spam in PDF attachments Reply with quote

Add the mask "pdf" to the black list of attachment types (Filtering | Attachments | File types). Only whitelisted senders will be able to send to you PDF documents in this case. The messages from unknown senders with PDF in attachment will be blocked.
Back to top
View user's profile Send private message Send e-mail
rwakeford



Joined: 30 Jul 2006
Posts: 27

PostPosted: Tue Jul 17, 2007 9:13 pm    Post subject: Re: Spam in PDF attachments Reply with quote

vetaltm wrote:
Add the mask "pdf" to the black list of attachment types (Filtering | Attachments | File types). Only whitelisted senders will be able to send to you PDF documents in this case. The messages from unknown senders with PDF in attachment will be blocked.

Thanks for the tip. Just one question, what size would you recommend to put into the "Don't check attachments larger than" box? Also, should we tick any of the other three items or leave them alone?

Sorry for the stupid questions but I just want to get it right.
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Wed Jul 18, 2007 6:07 pm    Post subject: Re: Spam in PDF attachments Reply with quote

rwakeford wrote:
Just one question, what size would you recommend to put into the "Don't check attachments larger than" box?


Spam messages rarely include large attachments, because sending millions of large messages (e.g. > 500Kbytes) is too expensive for spammers. The plug-in will not block a message with an attachment of blacklisted type, which is larger than the specified maximum size. The empirical value 300K is good enough for this parameter in most cases. It means that even if you have added PDF extension to the black list, the messages with attached PDF documents larger than 300K will not be filtered as spam.

rwakeford wrote:
Also, should we tick any of the other three items or leave them alone?


The option "Block the messages with attached Windows executable modules" works as a simplest anti-virus protection. Enable this checkbox for blocking all incoming messages with attached *.exe, *.dll, *.scr etc. executable files.

The option "Block the messages with clickable images, linking to possible fraudulent sites" blocks the messages with HTML body, containing the "clickable" inline images (i.e. some site is opened after clicking on the image). If a message contains an inline image, and the image is linked to some domain, then this message will be blocked if it was sent from address with different domain. For example its OK if a message from some_mailbox@microsoft.com contains the inline images and microsoft.com page is opened after clicking on some of the images in HTML. But if the message is received from hotmail.com, but contains an image linked to some adult site, then it will be blocked as spam.

Enable "Block the messages with animated GIFs" option if you never receive non-spam messages with animated *.gif pictures.


Last edited by vetaltm on Wed Jul 18, 2007 8:24 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
Tony



Joined: 18 Jul 2007
Posts: 5

PostPosted: Wed Jul 18, 2007 7:04 pm    Post subject: Reply with quote

I receive legit files with all kind of extentions; so blocking them is no option for me. I trust NOD32 to catch the baddies Smile

But I have a 'tip' you might consider useful.
Some virusses use double extentions.
Many people have windows configured to hide know extentions.
I've seen trojans that use this concept.
Example: BritneyNaked.gif.exe
Windows hides the .exe and the use thinks it's a porn pic because the message says so and the visible extention is .gif
But when the user clicks on the 'picture' nothing seems to happen.
No porn but a trojan on your HD.

What I want to suggest is giving dual extentions optionally a negative weigth in your scoring.
Back to top
View user's profile Send private message
rwakeford



Joined: 30 Jul 2006
Posts: 27

PostPosted: Wed Jul 18, 2007 8:09 pm    Post subject: Reply with quote

Quote:
Spam messages rarely include large attachments, because sending millions of large messages (e.g. > 500Kbytes) is too expensive for spammers.

Thanks very much, as always, for your helpful response.
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Wed Jul 18, 2007 8:18 pm    Post subject: Reply with quote

Tony wrote:
I receive legit files with all kind of extentions; so blocking them is no option for me. I trust NOD32 to catch the baddies Smile


The black list of attachment extensions is intended to filter spam, not viruses. For example, no antiviruses block PDF attachments, because PDF documents don't contain viruses. But if you receive many spam messages with attached PDF documents, you can add this extension to the blacklist. In this case only whitelisted senders will be able to send to you PDF documents.

Tony wrote:

But I have a 'tip' you might consider useful.
Some virusses use double extentions.
Many people have windows configured to hide know extentions.
I've seen trojans that use this concept.
Example: BritneyNaked.gif.exe
Windows hides the .exe and the use thinks it's a porn pic because the message says so and the visible extention is .gif
But when the user clicks on the 'picture' nothing seems to happen.
No porn but a trojan on your HD.

What I want to suggest is giving dual extentions optionally a negative weigth in your scoring.


Thanks for the tip, but the plug-in already contains more general option. The option "Block the messages with attached Windows executable modules" filters the attachments by content, not by extension. A message will be blocked if it contains an attachment with any extension having the signature of executable module in content.
Back to top
View user's profile Send private message Send e-mail
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Mon Jul 30, 2007 5:57 pm    Post subject: Reply with quote

Hi! The option you said for blocking all PDF files it's not very usable to me because I don't use the whitelist because I receive mails from a lot of people

What about one option for block messages with only a PDF. The Spam we're receiving now only haves one PDF file in the mail with no text in it.

Thx.
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Mon Jul 30, 2007 6:27 pm    Post subject: Reply with quote

NetVicious wrote:
What about one option for block messages with only a PDF. The Spam we're receiving now only haves one PDF file in the mail with no text in it.

The new version 2.6.0.1 allows using rules for filtering messages by the type of attachment. For example, the following rule with two conditions will block the messages with attached PDF and an empty text part:

Header{Content-Type} =~ application/pdf
Body =~ ^\s*$

Look at this article for more details:
http://antispamsniper.com/art-pdf.html
Back to top
View user's profile Send private message Send e-mail
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Mon Jul 30, 2007 8:03 pm    Post subject: Reply with quote

Thanks a mil.
Back to top
View user's profile Send private message
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Mon Aug 13, 2007 2:39 pm    Post subject: Reply with quote

Hi! another time. I added the rules but I continue receiving spam mails on my inbox.

They don't have any subject (the header don't appears on the source) or they have empty subject or body.

I tested the filter sending a message to me and It not was filtered.

I look on the log and i see AntiSpamniper scored it with 50%-70% Sad

How I could test the filters?
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Mon Aug 13, 2007 3:25 pm    Post subject: Reply with quote

NetVicious wrote:
Hi! another time. I added the rules but I continue receiving spam mails on my inbox.
They don't have any subject (the header don't appears on the source) or they have empty subject or body.

Here are the updated rules for filtering spam with PDF or ZIP attached, or empty subject:
http://antispamsniper.com/misc/black_rules2.xml

Import this file in "Black rules" dialog (Filtering | Black rules | Import...). 3 new rules will appear in the list:
"PDF attached & body is empty" - the updated rule for filtering messages having attached file with .pdf extension and empty body.
"ZIP attached & body is empty" - the updated rule for filtering messages having attached file with .zip extension and empty body.
"Empty subject" - rule for blocking messages with empty subject field

The new spam contains "application/octet-stream" type in Content-Type field, so the previous version of PDF rule doesn't work in this case. The new rules check the attachment name instead of attachment type.

NetVicious wrote:

I tested the filter sending a message to me and It not was filtered.

I look on the log and i see AntiSpamniper scored it with 50%-70% Sad

How I could test the filters?

The plug-in has a special Testing mode to check the rules and other content filtering methods on the existing messages. Press the button "Testing mode" on the plug-in's toolbar or enable the checkbox "Enable testing mode" on Filtering tab. Then select the messages and use the button "Mark as Junk" or "Mark as NOT Junk" to test the filtering. In Testing mode the plug-in classifies the marked messages and displays the results of classification in Filtering log. I.e. the plug-in doesn't learn the messages marked as spam or ham in this mode.


Last edited by vetaltm on Mon Aug 13, 2007 8:48 pm; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Mon Aug 13, 2007 8:42 pm    Post subject: Reply with quote

Hi!

I refiltered one Spam mail with one PDF without subject and without body and now seems to work ok. The file had application/pdf so it seems it wasn't a problem with the content-type.

One suggestion I will do for you it's to change the extension of the xml file you posted because it could not be downloaded with IE and Firefox, they say the XML has errors, I downloaded it using wget for Windows, zip it or reaname to other extension.

Tomorrow surely I will receive more pdf spam and I will do a real test.

Thanks,
Back to top
View user's profile Send private message
NetVicious



Joined: 16 Jul 2007
Posts: 9

PostPosted: Tue Aug 21, 2007 3:15 pm    Post subject: Reply with quote

Hi!

Here you have the headers of a message that surpased the black rules you placed on the bad formated XML.

It got a score of 70.13%

Code:

Return-Path: <Carville.Galbraith@downtownbrooklyncouncil.com>
Received: from resmaa06.ono.com (62.42.230.12) by resmls01.onolab.com (7.3.121.3)
        id 46BBC7E1002D1370 for XXXXX@ono.com; Tue, 21 Aug 2007 13:54:26 +0200
Received: from dsl.static.85-105-51717.ttnet.net.tr (85.105.202.5) by resmaa06.ono.com (7.3.118.8)
        id 46AEFB3F0083BA08 for XXXXX@ono.com; Tue, 21 Aug 2007 13:54:19 +0200
Message-ID: <46AEFB3F0083BA08@> (added by postmaster@resmaa06.ono.com)
Received: from MET?N by dsl.static.85-105-51717.ttnet.net.tr with local (Exim 4.62 (FreeBSD))
        id 3RMDQl-000M2G-LO
        for XXXXX@ono.com; Tue, 21 Aug 2007 14:53:59 +0300
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 21 Aug 2007 14:53:57 +0300
To: XXXXX@ono.com
From: "Galbraith" <Carville.Galbraith@downtownbrooklyncouncil.com>
Subject:
Mime-Version: 1.0
Content-Type: multipart/mixed;
        boundary="=====================_6496843==_"

--=====================_6496843==_
Content-Type: text/plain; charset="us-ascii"; format=flowed

Portfolio alert
--=====================_6496843==_
Content-Type: application/octet-stream; name="market_advice.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="market_advice.pdf"


As you could see the subject it's empty. The space before the Subject: it's needed by the procotol.

The rule that should be called it's:
Code:

   <rule name="PDFs Subject empty" action="to_spam">
      <check_header header="Content-Type" expression="\.pdf"/>
      <check_header header="Subject" expression="^\s*$"/>
   </rule>


If you want I could zip the message and sent it to you for testing purposes.

Thanks for your work.[/code]
Back to top
View user's profile Send private message
vetaltm
Author


Joined: 05 Feb 2006
Posts: 751

PostPosted: Sat Aug 25, 2007 11:24 pm    Post subject: Reply with quote

NetVicious wrote:

Code:

Return-Path: <Carville.Galbraith@downtownbrooklyncouncil.com>
Received: from resmaa06.ono.com (62.42.230.12) by resmls01.onolab.com (7.3.121.3)
        id 46BBC7E1002D1370 for XXXXX@ono.com; Tue, 21 Aug 2007 13:54:26 +0200
Received: from dsl.static.85-105-51717.ttnet.net.tr (85.105.202.5) by resmaa06.ono.com (7.3.118.8)
        id 46AEFB3F0083BA08 for XXXXX@ono.com; Tue, 21 Aug 2007 13:54:19 +0200
Message-ID: <46AEFB3F0083BA08@> (added by postmaster@resmaa06.ono.com)
Received: from MET?N by dsl.static.85-105-51717.ttnet.net.tr with local (Exim 4.62 (FreeBSD))
        id 3RMDQl-000M2G-LO
        for XXXXX@ono.com; Tue, 21 Aug 2007 14:53:59 +0300
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 21 Aug 2007 14:53:57 +0300
To: XXXXX@ono.com
From: "Galbraith" <Carville.Galbraith@downtownbrooklyncouncil.com>
Subject:
Mime-Version: 1.0
Content-Type: multipart/mixed;
        boundary="=====================_6496843==_"

--=====================_6496843==_
Content-Type: text/plain; charset="us-ascii"; format=flowed

Portfolio alert
--=====================_6496843==_
Content-Type: application/octet-stream; name="market_advice.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="market_advice.pdf"


As you could see the subject it's empty. The space before the Subject: it's needed by the procotol.

The rule that should be called it's:
Code:

   <rule name="PDFs Subject empty" action="to_spam">
      <check_header header="Content-Type" expression="\.pdf"/>
      <check_header header="Subject" expression="^\s*$"/>
   </rule>


If you want I could zip the message and sent it to you for testing purposes.

Thanks for your work.


This message is filtered by a single rule for empty subjects from the list above:
Code:
not Header{Subject} =~ \S

Most email clients display warnings and don't allow sending the messages with no text in subject. So the empty subject is a very strong spam sign.

The rules are good enouth for filtering most of the messages with attached PDF. But as you've already noticed it is hard to cover all possible cases. Thereby the future versions of the plug-in will be able to extract text from attached PDF documents and classify it along with the message body.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    antispamsniper.com Forum Index -> AntispamSniper for TheBat! All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group