Re: Spam PDF

Mikael Syska schrieb: Kind a new to spam ... and especially how people use bayes. So how many ham mails do you get per day ? wandering if I could do something to my system so bayes may score higher I have read some where that spam mails in bayes should be alot higher than ham mails ... is

Re: Spam PDF

arni wrote: [snip snap] I looked for the lowest scoring email of the past 2 days (dont save them longer), this is the one: X-Spam-Status: Yes, score=10.7 required=5.0 tests=BAYES_99,DCC_CHECK, DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1,LOGINHASH2,MIME_HTML_MOSTLY autolearn=no

Re: Spam PDF

[EMAIL PROTECTED] schrieb: arni wrote: i will use one of the best quotes here that were ever created on the internet: "You make your mouth full of technical bullshit when only facts talk" By some random guy ;-) arni

Re: Spam PDF

> It had nothing in the body. Without seeing that relay before, both > BAYES_80 and UNIQUE_WORDS caught it. > > Excluding the attachment encoding itself, here's what it had: > > Received: from [83.76.165.174] (HELO lmnht) > by mail.rudd.cc (CommuniGate Pro SMTP 5.1.4 _community_) > wi

Re: Spam PDF

[EMAIL PROTECTED] wrote: John Rudd wrote: [EMAIL PROTECTED] wrote: John Rudd wrote: You *will* not be getting a BAYES_90 or BAYES_99 from that. My first one got BAYES_80, without having seen that zombie/relay before. That's enough for 2 points. Which only tells me it had more than just the

Re: Spam PDF

arni wrote: > i will use one of the best quotes here that were ever created on the > internet: > > "You make your mouth full of technical bullshit when only facts talk" > > By some random guy > > ;-) arni So you're saying yo

Re: Spam PDF

John Rudd wrote: > [EMAIL PROTECTED] wrote: >> John Rudd wrote: > >> You *will* not be getting a BAYES_90 or >> BAYES_99 from that. > > My first one got BAYES_80, without having seen that zombie/relay before. > That's enough for 2 points. Which only tells me it had more than just the PDF atta

Re: Spam PDF

[EMAIL PROTECTED] schrieb: arni wrote: [EMAIL PROTECTED] schrieb: Sounds more like "if we didn't rely on other people to have seen this particular abusive host before us and our learning system to have seen past examples of spam that looks a whole lot like th

Re: Spam PDF

[EMAIL PROTECTED] wrote: John Rudd wrote: You *will* not be getting a BAYES_90 or BAYES_99 from that. My first one got BAYES_80, without having seen that zombie/relay before. That's enough for 2 points. I think you're missing the point when I say "in the past" in relation to scoring vs

Re: Spam PDF

arni wrote: > [EMAIL PROTECTED] schrieb: >> >> Sounds more like "if we didn't rely on other people to have seen this >> particular abusive host before us and our learning system to have seen >> past examples of spam that looks a whole lot like this one from headers >> al

Re: Spam PDF

John Rudd wrote: > [EMAIL PROTECTED] wrote: >>> Actually, it didn't. The assertion is that if someone else hadn't seen >>> this exact message first, then SA wouldn't have caught it. >> No, the assertion is that if someone else hadn't seen prior abuse from >> the sending host first (not this exact

Re: Spam PDF

On Fri, 2007-06-29 at 12:58 +0200, Claude Frantz wrote: > I was able to decode to plain text using the following commands: > > cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii > > Finally, very simple. Don't forget to filter escapes, or you might get a .pdf that includes some

Re: Spam PDF

On 6/29/2007 1:27 PM, Ralf Hildebrandt wrote: * Raymond Dijkxhoorn <[EMAIL PROTECTED]>: No i tested acroread but its not exactly a lightweight tool to do this conversions. You can allmost better open the PDF and filter them manually ;) If you get a couple of thousand an hour, like we do now,

Re: Spam PDF

Just another command sequence which worked well on a file containing an image too: gs -sOutputFile=hugo -sDEVICE=pnmraw -dNOPAUSE -dBATCH -r600x600 hugo.pdf cat hugo | pamthreshold -simple -threshold 0.5 | pamtopnm | ocrad --format=utf8 This could be a base for another prep and scanset for F

Re: Spam PDF

* Raymond Dijkxhoorn <[EMAIL PROTECTED]>: > No i tested acroread but its not exactly a lightweight tool to do this > conversions. You can allmost better open the PDF and filter them manually ;) > > If you get a couple of thousand an hour, like we do now, it aint fun with > acroread. Why not us

Re: Spam PDF

I was able to decode to plain text using the following commands: cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii There are two forms of these PDF spams. The first ones had plain text and looked very professional. The second wave is image spam wrapped in a PDF, and has al

Re: Spam PDF

Hi Clause, I was able to decode to plain text using the following commands: cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii And this scales? :) It worked for me on an example of the many similar SPAM messages I have got. It will probably not work with any one. Have a t

Re: Spam PDF

Raymond Dijkxhoorn wrote: I was able to decode to plain text using the following commands: cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii And this scales? :) It worked for me on an example of the many similar SPAM messages I have got. It will probably not work with any

Re: Spam PDF

Hi! Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? I was able to decode to plain text using the following commands: cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii And this scales? :) Bye, Ra

Re: Spam PDF

Raymond Myren wrote: Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? I was able to decode to plain text using the following commands: cat report.pdf | acroread -toPostScript -level2 -saveVM | ps2ascii Finally, very

Re: Spam PDF

Robert Schetterer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas Engelken schrieb: John Thompson wrote: Raymond Myren wrote: Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type?

Re: Spam PDF

John Rudd wrote: The "policy" here is NOT the recipient's policy, the sendering network owner's policy. That was a rather mangled sentence... The "policy" that is the P in PBL is not the recipient's spam/abuse/etc. policy, it's the sending network owner's policy about who should or should

Re: Spam PDF

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas Engelken schrieb: > John Thompson wrote: >> Raymond Myren wrote: >> >> >>> Just today I started receiving spam mails with attached .pdf files with >>> a spam image. >>> Any ideas how to stop this spam type? >>> >> >> Nothing, yet. But sin

Re: Spam PDF

[EMAIL PROTECTED] schrieb: Sounds more like "if we didn't rely on other people to have seen this particular abusive host before us and our learning system to have seen past examples of spam that looks a whole lot like this one from headers alone to detect this particular spam, we'd fail to catch

Re: Spam PDF

[EMAIL PROTECTED] wrote: Actually, it didn't. The assertion is that if someone else hadn't seen this exact message first, then SA wouldn't have caught it. No, the assertion is that if someone else hadn't seen prior abuse from the sending host first (not this exact message), then SA wouldn't ha

Re: Spam PDF

arni wrote: > [EMAIL PROTECTED] schrieb: >> Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP) >> and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks >> to the BOTNET plugin (which is amazing btw). That hit was all from >> late-receiver effect. >> > That sou

Re: Spam PDF

> Actually, it didn't. The assertion is that if someone else hadn't seen > this exact message first, then SA wouldn't have caught it. No, the assertion is that if someone else hadn't seen prior abuse from the sending host first (not this exact message), then SA wouldn't have caught that particul

Re: Spam PDF

John Thompson wrote: Raymond Myren wrote: Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? Nothing, yet. But since these appear to be an image file encapsulated in a .pdf, it may be possible to get FuzzyOCR to

Re: Spam PDF

Raymond Myren wrote: > Just today I started receiving spam mails with attached .pdf files with > a spam image. > Any ideas how to stop this spam type? Nothing, yet. But since these appear to be an image file encapsulated in a .pdf, it may be possible to get FuzzyOCR to parse them for spam text.

Re: Spam PDF

Raymond Dijkxhoorn wrote: Hi! Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from 212.127.254.149 ([EMAIL PROTECTED]) to quicknet.nl is spam, SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, GMD_PD

Re: Spam PDF

[EMAIL PROTECTED] wrote: John Rudd wrote: Robert Schetterer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 arni schrieb: Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond

Re: Spam PDF

[EMAIL PROTECTED] schrieb: Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP) and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks to the BOTNET plugin (which is amazing btw). That hit was all from late-receiver effect. That sounds a bit like "if we stoppe

Re: Spam PDF

John Rudd wrote: > Robert Schetterer wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> arni schrieb: >>> Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type?

Re: Spam PDF

Hi! Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from 212.127.254.149 ([EMAIL PROTECTED]) to quicknet.nl is spam, SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, GMD_PDF_STOX 1.00, PROLO_NO_URI 0.

Re: Spam PDF

Eagerly awaiting your latest treat! ;-) Dallas Engelken wrote: > > The cats out of the bag now! :) > > More details on this will be made available later today hopefully. >

Re: Spam PDF

_PDF_HORIZ 0.25, GMD_PDF_STOX > 1.00, PROLO_NO_URI 0.01, RCVD_IN_WHOIS_BOGONS 2.43) > Where did those GMD rules come from? Thanks. -- View this message in context: http://www.nabble.com/Spam-PDF-tf3986488.html#a11330617 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Spam PDF

Robert Schetterer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 arni schrieb: Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond as i said several times on this maillist no

Re: Spam PDF

Robert Schetterer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 arni schrieb: Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond as i said several times on this maillist no

Re: Spam PDF

Robert Schetterer schrieb: arni schrieb: aymond as i said several times on this maillist now, i've never had any of these mails get through, here is how the current ones score: you are in a luck, you are a "late reciever" of that spam, so it was detected by others before ( look

Re: Spam PDF

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 arni schrieb: > Raymond Myren schrieb: >> Hello, >> >> Just today I started receiving spam mails with attached .pdf files >> with a spam image. >> Any ideas how to stop this spam type? >> >> \raymond > as i said several times on this maillist now, i've

Re: Spam PDF

Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond as i said several times on this maillist now, i've never had any of these mails get through, here is how the current ones score:

Re: Spam PDF

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas Engelken schrieb: > Raymond Dijkxhoorn wrote: >> Hi! >> >>> We just caught one: >>> >>> Content analysis details: (5.0 points, 4.0 required) >>> >>> pts rule name description >>> - -- >>> - ---

Re: Spam PDF

Raymond Dijkxhoorn wrote: Hi! We just caught one: Content analysis details: (5.0 points, 4.0 required) pts rule name description - -- - -- 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (

Re: Spam PDF

Hi! We just caught one: Content analysis details: (5.0 points, 4.0 required) pts rule name description - -- - -- 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.4 BAYES_60

Re: Spam PDF

ot running DCC the email went through and >> it was an empty email body with a PDF attachment >>>> -Message d'origine- >>>> De : Raymond Myren [mailto:[EMAIL PROTECTED] >>>> Envoyé : mercredi 27 juin 2007 08:09 >>>> ì : users@spam

Re: Spam PDF

On Wed, 27 Jun 2007, Wael Shahin wrote: > I have two servers one is running DCC and one is not, the one that is > running DCC didn't pass the message or maybe I am mistaken but it didn't > go through (Maybe didn't get there at all from the first place). > On the other server that is not running DC

Re: Spam PDF

Robert Schetterer schrieb: Perhaps it would be easier to use clamav to filter such mails out, i think i will asked there - -- Sanesecurity has a CLAMAV signature Email.Stk.Gen522.Sanesecurity.07062102.pdf MH

Re: Spam PDF

dy with a PDF attachment > > -Message d'origine- > > De : Raymond Myren [mailto:[EMAIL PROTECTED] > > Envoyé : mercredi 27 juin 2007 08:09 > > À : users@spamassassin.apache.org > > Objet : Spam PDF > > > > Hello, > > > > Just today I started

Re: Spam PDF

uin 2007 08:09 > À : users@spamassassin.apache.org > Objet : Spam PDF > > Hello, > > Just today I started receiving spam mails with attached .pdf files with a > spam image. > Any ideas how to stop this spam type? > > \raymond > Hi Stephane, unless the mail isnt caught by o

RE: Spam PDF

Hi, Got one yesterday too here. Seems to be a new way for spammers ... -Message d'origine- De : Raymond Myren [mailto:[EMAIL PROTECTED] Envoyé : mercredi 27 juin 2007 08:09 À : users@spamassassin.apache.org Objet : Spam PDF Hello, Just today I started receiving spam mails

Spam PDF

Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond