Re: PDF files containing executables?

On Thu, 3 Mar 2016, David B Funk wrote: On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: > However, many legitimate PDF files contain Javascript snippets. > Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statem

Re: PDF files containing executables?

On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script

Re: PDF files containing executables?

On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:27:18 -0800 (PST) John Hardin wrote: [Dianne Skoll] However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :)

Re: PDF files containing executables?

Am 03.03.2016 um 23:17 schrieb Benny Pedersen: Users should disable javascript or entirely remove software that support stupidity welcome to the real world signature.asc Description: OpenPGP digital signature

Re: PDF files containing executables?

On 3. mar. 2016 21.26.05 Marc Perkel wrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? Google harafa You need to understand jit, each pdf file can contain a mta sending spam Us

Re: PDF files containing executables?

On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: I had no idea Java could be embedded in PDF... are you sure that's even possible? No idea either, I was just including it because it was mentioned upthread, and greater insanities have happened. I'm not findi

Re: PDF files containing executables?

On Thu, 3 Mar 2016, Dianne Skoll wrote: I had no idea Java could be embedded in PDF... are you sure that's even possible? No idea either, I was just including it because it was mentioned upthread, and greater insanities have happened. -- John Hardin KA7OHZhttp://www.imp

Re: PDF files containing executables?

On 03/03/16 13:27, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script

Re: PDF files containing executables?

On Thu, 3 Mar 2016 13:27:18 -0800 (PST) John Hardin wrote: [Dianne Skoll] > > However, many legitimate PDF files contain Javascript snippets. > > Blocking solely on that basis will lead to many FPs. > I'd argue the "legitimate" part of that statement... :) Well, maybe, but I think you'd lose t

Re: PDF files containing executables?

On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that

Re: PDF files containing executables?

On 03/03/16 13:15, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that

Re: PDF files containing executables?

On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: > Thanks for the response. I'm in the spam filtering business and I'm > wondering what I can use (from the command line?) to detect if a PDF > has any kind of script attached that would be executable. that way I > might block based on what's e

RE: PDF files containing executables?

Not sure about viruses per se, but I know that there have been instances of embedded javascript in .pdf files which have been malicious. Javascript can be turned off in Acrobat preferences. Likely a toggle in other .pdf readers as well. ...Kevin -- Kevin Miller Network/email Administrator, CBJ

Re: PDF files containing executables?

On 03/03/16 13:02, David B Funk wrote: On Thu, 3 Mar 2016, Marc Perkel wrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? I don't know that PDFs can contain classical ".exe" ty

Re: PDF files containing executables?

> Thanks for the response. I'm in the spam filtering business and I'm wondering > what I can use (from the command line?) to detect if a PDF has any kind of ClamAV? — Matthias

Re: PDF files containing executables?

Hi Kevin, Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. On 03/03/16 12:59, Kevin Mill

Re: PDF files containing executables?

On Thu, 3 Mar 2016, Marc Perkel wrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? I don't know that PDFs can contain classical ".exe" type executables but they can clearly contai

PDF files containing executables?

A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400

Re: PDF files containing executables?

Am 03.03.2016 um 21:25 schrieb Marc Perkel: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? when it's a job for clamav signature.asc Description: OpenPGP digital signature

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 21:17 schrieb Axb: On 03/03/2016 09:10 PM, Reindl Harald wrote: Am 03.03.2016 um 20:59 schrieb Axb: That YOU don't like deep header parsing rule doesn't mean that they're useless. Maybe it's time that you, as a self proclamied perfectionist, fork SA and do your thing. mayb

Re: RCVD_NUMERIC_HELO

On 03/03/2016 09:10 PM, Reindl Harald wrote: Am 03.03.2016 um 20:59 schrieb Axb: On 03/03/2016 08:21 PM, Reindl Harald wrote: how do you suppose the corpus to replace ones own thinking about the *conditions* rules hit? I've no idea what the sentence means. the deep-header rules have to go

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 20:59 schrieb Axb: On 03/03/2016 08:21 PM, Reindl Harald wrote: how do you suppose the corpus to replace ones own thinking about the *conditions* rules hit? I've no idea what the sentence means. the deep-header rules have to go away or rewritten to *not* do deep-header test

Re: RCVD_NUMERIC_HELO

On 03/03/2016 08:21 PM, Reindl Harald wrote: Am 03.03.2016 um 19:39 schrieb RW: On Thu, 3 Mar 2016 18:51:45 +0100 Reindl Harald wrote: Am 03.03.2016 um 17:54 schrieb RW: On Thu, 3 Mar 2016 15:18:36 +0100 Reindl Harald wrote: it would at best end in the rule get such a low score that it is

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 19:39 schrieb RW: On Thu, 3 Mar 2016 18:51:45 +0100 Reindl Harald wrote: Am 03.03.2016 um 17:54 schrieb RW: On Thu, 3 Mar 2016 15:18:36 +0100 Reindl Harald wrote: it would at best end in the rule get such a low score that it is the same as disable it entirely - so the only

Re: RCVD_NUMERIC_HELO

On Thu, 3 Mar 2016 18:51:45 +0100 Reindl Harald wrote: > Am 03.03.2016 um 17:54 schrieb RW: > > On Thu, 3 Mar 2016 15:18:36 +0100 > > Reindl Harald wrote: > > > >> it would at best end in the rule get such a low score that it is > >> the same as disable it entirely - so the only correct thing to

Re: RCVD_NUMERIC_HELO

On Thu, 3 Mar 2016 17:59:33 +0100 Matus UHLAR - fantomas wrote: > On 03.03.16 16:54, RW wrote: > >FSL_HELO_BARE_IP_1 is a last-external check > >FSL_HELO_BARE_IP_2 is a deep check with some additional exclusions > > > >These are mutually exclusive _1 suppresses _2 > > it's because > > 72_activ

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 17:59 schrieb Matus UHLAR - fantomas: On 03.03.16 16:54, RW wrote: FSL_HELO_BARE_IP_1 is a last-external check FSL_HELO_BARE_IP_2 is a deep check with some additional exclusions These are mutually exclusive _1 suppresses _2 it's because 72_active.cf:metaFSL_HELO_BARE_I

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 17:54 schrieb RW: On Thu, 3 Mar 2016 15:18:36 +0100 Reindl Harald wrote: it would at best end in the rule get such a low score that it is the same as disable it entirely - so the only correct thing to do is stop the foolish deep-header parsing why? because *then* it would n

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 17:54 schrieb RW: What make this all the more remarkable is that at the time you brought it up, the meta rules were wrong and most of the hits that should have gone to FSL_HELO_BARE_IP_1 were going to FSL_HELO_BARE_IP_2 instead, so you probably overestimated the spam hitting the

Re: RCVD_NUMERIC_HELO

On 03.03.16 16:54, RW wrote: FSL_HELO_BARE_IP_1 is a last-external check FSL_HELO_BARE_IP_2 is a deep check with some additional exclusions These are mutually exclusive _1 suppresses _2 it's because 72_active.cf:metaFSL_HELO_BARE_IP_2 __FSL_HELO_BARE_IP_2 && !ALL_TRUSTED && !FSL_HEL

Re: RCVD_NUMERIC_HELO

On Thu, 3 Mar 2016 15:18:36 +0100 Reindl Harald wrote: > it would at best end in the rule get such a low score that it is the > same as disable it entirely - so the only correct thing to do is stop > the foolish deep-header parsing > > why? > > because *then* it would no longer hit any relevan

Re: What do I do to fix this? bayes db update ignored: Permission denied

ok, thanks all. I think I have it. zeus:bayes_db robert$ ls -la total 6528 drwxr-xr-x 5 spamuser wheel 170 3 Mar 15:35 . drwxrwxrwx 3 root wheel 102 3 Mar 14:37 .. -rw-rw 1 spamuser wheel49632 3 Mar 16:22 bayes_journal -rw-rw 1 spamuser wheel 176128 3 Mar 1

Re: What do I do to fix this? bayes db update ignored: Permission denied

On Thu, 3 Mar 2016 15:35:38 + Robert Chalmers wrote: > So what exactly is the ?kludge? - given that mostly I followed the > Wiki and various other setup guidelines? I?m not doing per user > configs, but site wide. If you are running spamd as spamuser the files, and the directory they are in,

Re: What do I do to fix this? bayes db update ignored: Permission denied

Hi, you probably messed up the permissions by running sa-learn or any other tool that messes with the bayes files directly (i.e. not via spamd) as root. Your changes work because they allow read/write access to anyone on the system, which is not very secure. Best would be to do something like:

Re: What do I do to fix this? bayes db update ignored: Permission denied

ok, I can see that. Interesting I missed it on the set up So, I’m running on OSX, and have to use plist files to start processes. The spamd owner is ‘spamuser’ - ( just because I did…. and as it’s not used outside that, I may as well leave it as such.) /opt/local/bin/daemondo

Re: What do I do to fix this? bayes db update ignored: Permission denied

On Thu, 3 Mar 2016 14:46:33 + Robert Chalmers wrote: > > /var/spamassassin/bayes_db > > drwxr-xr-x 3 root wheel 102 3 Mar 14:37 . > drwxr-xr-x 28 root wheel 952 23 Jan 15:58 .. > drwxr-xr-x 5 root wheel 170 3 Mar 14:37 bayes_db > > > -rw-rw-rw- 1 root wheel 2304 3 Mar

Re: dcc checks

On 02.03.16 12:48, Roman Gelfand wrote: >I have awl disabled and dcc checks configured. Why, sometimes, >spamassassin doesn't do dcc checks? On Wed, Mar 2, 2016 at 2:50 PM Matus UHLAR - fantomas wrote: that has nothing to do with AWL. You have already asked in the DCC mailing list (and I ha

Re: What do I do to fix this? bayes db update ignored: Permission denied

ah. So as in local.cf # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 bayes_path /var/spamassassin/bayes_db/bayes bayes_file_mode 0777 bayes_auto_learn_threshold_nonspam -0.001 bayes_auto_learn_threshold_spam 9.0 /var/spamassassin/bayes_db drwxr-xr-x 3 root wh

Re: What do I do to fix this? bayes db update ignored: Permission denied

Am 03.03.2016 um 15:30 schrieb Robert Chalmers: ok, I fixed it, but what is it recording ??? tail -f bayes_journal t 1457015338 ba89bf20a0 t 1457015338 f5539dc198 t 1457015338 11973086ed http://spamassassin.apache.org/full/3.4.x/doc/sa-learn.html the timestamps when a token was last seen h

Re: What do I do to fix this? bayes db update ignored: Permission denied

ok, I fixed it, but what is it recording ??? tail -f bayes_journal t 1457015338 ba89bf20a0 t 1457015338 f5539dc198 t 1457015338 11973086ed > On 3 Mar 2016, at 14:22, Robert Chalmers wrote: > > /var/spamassassin/bayes_db/bayes_journal Robert Chalmers rob...@chalmers.com

What do I do to fix this? bayes db update ignored: Permission denied

Should this set of directories be globally writable? Or writable by spamd? or postfix? spamd[298]: bayes: cannot write to /var/spamassassin/bayes_db/bayes_journal, bayes db update ignored: Permission denied Robert Chalmers rob...@chalmers.com .au Quantum Radio:

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 15:04 schrieb RW: On Thu, 3 Mar 2016 13:58:30 +0100 Reindl Harald wrote: Am 03.03.2016 um 13:47 schrieb RW: On Wed, 2 Mar 2016 23:25:17 +0100 Reindl Harald wrote: your expectation that the mass-test corpus can reproduce the whole real world is fundamentally broken Unbeli

Re: RCVD_NUMERIC_HELO

On Thu, 3 Mar 2016 13:58:30 +0100 Reindl Harald wrote: > Am 03.03.2016 um 13:47 schrieb RW: > > On Wed, 2 Mar 2016 23:25:17 +0100 > > Reindl Harald wrote: > >> your expectation that the mass-test corpus can reproduce the whole > >> real world is fundamentally broken > > > > Unbelievable. > > >

Re: RCVD_NUMERIC_HELO

Am 03.03.2016 um 13:47 schrieb RW: On Wed, 2 Mar 2016 23:25:17 +0100 Reindl Harald wrote: Am 02.03.2016 um 23:13 schrieb RW: On Wed, 2 Mar 2016 22:45:15 +0100 Reindl Harald wrote: Am 02.03.2016 um 22:12 schrieb RW: The only argument you have made against these rules is that they don't wor

Re: RCVD_NUMERIC_HELO

On Wed, 2 Mar 2016 23:25:17 +0100 Reindl Harald wrote: > Am 02.03.2016 um 23:13 schrieb RW: > > On Wed, 2 Mar 2016 22:45:15 +0100 > > Reindl Harald wrote: > > > >> Am 02.03.2016 um 22:12 schrieb RW: > >>> The only argument you have made against these rules is that they > >>> don't work for you