Just a quick question I have noticed that these PDF files all have the following string in the first line is there something I am missing ? I have been using it to catch these spams any thoughts ?
BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, June 28, 2007 12:49 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Re: PDF spam detection I was thinking Regex wasn't available since I'm still using 2.0.6, but forgot I could use an external test and the regex available in the windows Findstr command. Darin. ----- Original Message ----- From: Matt <mailto:[EMAIL PROTECTED]> To: declude.junkmail@declude.com Sent: Thursday, June 28, 2007 12:37 PM Subject: Re: [Declude.JunkMail] Re: PDF spam detection Here's a piece of RegEx code that should work for blank bodies with a PDF and this particular spammer so long as he is forging Thunderbird: -+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf; Note that I have not tested this, but the code is in fact fairly simple and it should work. Matt Darin Cox wrote: So far all that I've seen have a blank body with the pdf attachment. Anyone have any ideas as to how to test for a blank body, or one with only whitespace characters? The new PCRE function can do it, but we're still on 2.0.6 at the moment, waiting until IMail 2006.21 comes out and passes testing. I'm thinking a blank body test with PDF attachment detection should result in very few FPs. Still possible, but hopefully enough to hold on until a better detection method can be found. Darin. _____________ Test footer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
