PDF Spam

Discussion, support and announcements for third party applications that work with MailEnable.
MartynK
Posts: 1325
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

PDF Spam

Post by MartynK » Mon Jul 02, 2007 2:36 pm

I am starting to hear a bit about PDF spam, but to date have not seen any myself.

Anyone else getting much of this, is it much of a problem ?

AcidRaZor
Posts: 33
Joined: Fri Nov 25, 2005 12:58 pm

Post by AcidRaZor » Tue Jul 10, 2007 7:20 pm

I've had several hits of PDF spam on the MEFilter (I use SpamAssassin to mark mail as spam, they luckily being caught by using known black listed servers and bay-probability is usually high)

I was actually looking for news on this now seeing as I found some. It looks like normal image spam but in a PDF, so it's not normal text one can just extract from the PDF with some add-on. You'd need to save everything as an image and then OCR it or something.

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg » Tue Jul 17, 2007 1:25 am

ASSP recognizes them as spam with 100% catch rate. I will see what it actually catches it for.. It might be for RBL or SPF.

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

SpamAssassin rule for PDF spam

Post by someone_else » Tue Jul 17, 2007 6:09 pm

All the PDF spam messages seem to claim the same user agent, so for SpamAssassin users, here's a simple rule set which will trigger if the user agent is the aforementioned one and the message contains a PDF attachment (i.e. both criteria must be met for the rule to be triggered). Simply add this to your local.cf file (/etc/mail/spamassassin/local.cf in SAVASM):

Code: Select all

header    __Tbd  User-Agent =~ /Thunderbird 1\.5\.0\.12 \(Windows\/20070509\)/i
full      __PDF  /Content-Type: application\/pdf;/i
meta      xPDF  (__Tbd && __PDF)
describe  xPDF  PDF Spam
score     xPDF  2.0
MailEnable plugins:
DKeyEvent - DomainKeys/DKIM
MESpamC - SpamAssassin integration

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg » Wed Jul 18, 2007 1:38 pm

All of mine have been RDNS BL and were caught.

Smurf
Posts: 516
Joined: Thu Apr 22, 2004 6:42 pm

Post by Smurf » Fri Aug 03, 2007 7:31 am

We're seeing hundreds of PDF spam emails slipping through our filters. Anyone have any suggestions as to a custom filter that we can add to ME to block these?

Not using Spam Assassin and prefer not to rely on a 3rd party app to avoid any increases in CPU load.
Last edited by Smurf on Fri Aug 03, 2007 10:12 pm, edited 1 time in total.

atinoco
Posts: 19
Joined: Tue Jun 21, 2005 4:56 pm

Post by atinoco » Fri Aug 03, 2007 8:18 pm

also have this problem, ¿any suggestions?
-Andres Tinoco
PuntoWEB de Venezuela C.A.

MartynK
Posts: 1325
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK » Sat Aug 04, 2007 2:23 pm

I have been working on this for a few weeks now.

As there is no set way to do it I have used a point scoring system for this. Its still in "the works" but with luck I will be there in a week or so.

If you want to have a look at what I am doing and/or have anything to add, I have posted a topic on the forum http://mefilter.com/cs/forums/t/1380.aspx

jdraggi
Posts: 33
Joined: Tue Feb 14, 2006 12:34 am
Location: USA

yep

Post by jdraggi » Wed Aug 08, 2007 4:31 am

Yeah, this sucks. We're actually looking for a new spam/antivirus package to use with mail enable. F-prot changed their A/V license from computer to user so we can no longer use that A/V package.

Nevertheless, tons and tons of pdf spam slipping through.

--john

Smurf
Posts: 516
Joined: Thu Apr 22, 2004 6:42 pm

Post by Smurf » Wed Aug 08, 2007 11:49 am

Yep, certainly sucks big time. What started as a trickle is now turning into a flood of PDF spam emails.

Its putting a real strain on the virus scanner and on the ME MTA process. Some emails are getting rejected by the reverse DNS blacklists, others by our bayesian filter, but I reckon a good 70% still get through.

From my observations the messages always come from a Windows Thunderbird and never have any visible body text. The message size is typically between 9k and 12k.

ME - from your inside knowledge of the filter rules - is there any filter we can add similar to the image spam filter rule?

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Wed Aug 08, 2007 3:15 pm

It is very hard to descriminate against pdf spam because the content in the messages vary significantly. ie: it is hard to isolate patterns within these the message because they vary so much.

I dont think you can rely on the mailer, since most of the PDF spam we see is from an outlook express mailer. It of course could be used to weight the result, should you notice that the majority of the messages exhibit that characteristic (the ones I have seen dont).

Of course the common characteristic is that the pdf attachment - and this of course would be one of the criteria used to identify. If you notice a size range pattern, you can always vaidate the size. Also, the sender will almost certainly fail an SPF test, and possibly PTR lookup, so those passing these could be whitelisted.

Snippets follow:

Code: Select all

FilterResult=0
MEResultData = "SCRIPT"
RefuseMail = False
If CriteriaMet([ME_HEADERS_CONTAIN],"X-PTR-Result: Generic, Fail") Then
	RefuseMail = True;
End If
'
'Reverse DNS Blacklist test
'
If CriteriaMet([ME_HEADERS_CONTAIN],"X-RBL-Result: Generic, Fail") Then
	RefuseMail = True;
End If
'
' To detect whether it is an attached pdf, you could use:
'
If CriteriaMet([ME_BOUNDARYHEADERS_CONTAIN],"Content-Type: application/pdf;") AND (CriteriaMet([ME_HASATTACHMENTSMATCHING],"*.pdf") )  AND  ([ME_SIZE] > 9216) And ([ME_SIZE] < 12288) Then 
  If Not CriteriaMet([ME_SPF],"pass") Then
    RefuseMail = True
  End If
End If 
'
' Now set the ret val
'
If RefuseMail Then
  FilterResult=1
End If
Also, often the envelope sender usually does not match the From address in the message headers.
This can be caught with either of the following script extracts:

Code: Select all

Dim FromEnvelopeHeaderResult
FilterResult=0
MEResultData = "SCRIPT"
FromEnvelopeHeaderResult=0

'Message From: address does not match envelope sender e-mail address
  If Not CriteriaMet([ME_HEADERS_CONTAIN],"*[ME_SENDER]*") Then
    FromEnvelopeHeaderResult=1
    FilterResult=1
End If
Or (a stricter implementation)

Code: Select all

Dim FromEnvelopeHeaderResult
FilterResult=0
MEResultData = "SCRIPT"
FromEnvelopeHeaderResult=0

'Message From: address does not match envelope sender e-mail address
  If Not CriteriaMet([ME_FROM],"*[ME_SENDER]*") Then
    FromEnvelopeHeaderResult=1
    FilterResult=1
End If
The first example of these From validations would probably suffice - but you will notice that the criteria will be met for bulk mail in general.. ie: Yahoo lists, etc - so you wold only want to perform the test if the pdf criteria is met.
Regards, Andrew

FredG
Posts: 27
Joined: Wed Oct 08, 2003 8:05 pm

Post by FredG » Sun Aug 12, 2007 5:40 pm

I have noticed that the message body in all pdf spams are empty. Often the pdf file name also match the message subject.
Best regards
FredG

Smurf
Posts: 516
Joined: Thu Apr 22, 2004 6:42 pm

Post by Smurf » Mon Aug 13, 2007 11:52 am

We're *trying* to get the following script to work;

FilterResult=0
If CriteriaMet([ME_BOUNDARYHEADERS_CONTAIN],"Content-Type: application/pdf;") AND CriteriaMet([ME_HASATTACHMENTSMATCHING],"*.pdf") AND ([ME_SIZE] > 9216) And ([ME_SIZE] < 43008) Then
If CriteriaMet([ME_SPAM_PROBABILITY] >10) Then
FilterResult=1
End If
if CriteriaMet([ME_HEADERS_CONTAIN],"*Subject: ") Then
FilterResult=1
end if
End If

A typical PDF spam (17KB) email looks like this;
Received: from e178127103.adsl.alicedsl.de ([85.178.127.103]) by thor.xxxxx.com with MailEnable ESMTP; Mon, 13 Aug 2007 12:49:19 +0100
Received: from home-pc (HELO home-pc) (press@xxxxx.com@183.171.0.170)
by e178127103.adsl.alicedsl.de with SMTP; Mon, 13 Aug 2007 13:56:28 +0200
Message-ID: <000f01c7dda0$f0f08970$677fb255@homepc>
From: "Pe Louk" <Loukfak@arianespier.nl>
To: press@xxxxx.com
Subject: exchange
Date: Mon, 13 Aug 2007 13:56:11 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000B_01C7DDB1.B4770F80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Received-SPF: none (thor.xxxxx.com: arianespier.nl does not designate permitted sender hosts)
X-ME-Bayesian: 32.988128
Return-Path: <Loukfak@arianespier.nl>
X-Read: 1

The problem is that the filter is never triggered, even when sending a test email that should be flagged. Any ideas as to why?[/quote]

rockinthesixstring
Posts: 844
Joined: Mon Dec 05, 2005 7:51 am
Location: Canada

Post by rockinthesixstring » Tue Aug 14, 2007 4:12 am

Smurf wrote:We're *trying* to get the following script to work;

FilterResult=0
If CriteriaMet([ME_BOUNDARYHEADERS_CONTAIN],"Content-Type: application/pdf;") AND CriteriaMet([ME_HASATTACHMENTSMATCHING],"*.pdf") AND ([ME_SIZE] > 9216) And ([ME_SIZE] < 43008) Then
If CriteriaMet([ME_SPAM_PROBABILITY] >10) Then
FilterResult=1
End If
if CriteriaMet([ME_HEADERS_CONTAIN],"*Subject: ") Then
FilterResult=1
end if
End If

A typical PDF spam (17KB) email looks like this;
Received: from e178127103.adsl.alicedsl.de ([85.178.127.103]) by thor.xxxxx.com with MailEnable ESMTP; Mon, 13 Aug 2007 12:49:19 +0100
Received: from home-pc (HELO home-pc) (press@xxxxx.com@183.171.0.170)
by e178127103.adsl.alicedsl.de with SMTP; Mon, 13 Aug 2007 13:56:28 +0200
Message-ID: <000f01c7dda0$f0f08970$677fb255@homepc>
From: "Pe Louk" <Loukfak@arianespier.nl>
To: press@xxxxx.com
Subject: exchange
Date: Mon, 13 Aug 2007 13:56:11 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000B_01C7DDB1.B4770F80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Received-SPF: none (thor.xxxxx.com: arianespier.nl does not designate permitted sender hosts)
X-ME-Bayesian: 32.988128
Return-Path: <Loukfak@arianespier.nl>
X-Read: 1

The problem is that the filter is never triggered, even when sending a test email that should be flagged. Any ideas as to why?
Yes I am experiencing the same behavior (using 2.38 )

NOTE: here is the code i am using

Code: Select all

FilterResult=0

If CriteriaMet([ME_HASATTACHMENTSMATCHING],"*.pdf")  AND  ([ME_SIZE] > 9216) And ([ME_SIZE] < 41000) Then
FilterResult=1
End If
Chase
Server 2008 Standard (x64)
ME Ent 6.51 (SQL Server 2008 Config)
ASSP 1.9

Smurf
Posts: 516
Joined: Thu Apr 22, 2004 6:42 pm

Post by Smurf » Tue Aug 14, 2007 7:57 am

Its almost as if ME is unable to detect the PDF attachment. Although, we do have success with a similar filter used to filter out image spam. That filter works like a charm.

Post Reply