On Wed, 18 Jul 2007, nws.charlie wrote: > I have noticed that 98% of the spam with pdf attachments is > being sent from Thunderbird. I wrote a few rules and added them to > my local.cf. Here is the main one that is working. I am catching > most of the spam with this. Does anyone see anything negative > about a rule like this? > > header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i > full __LOCAL_HAS_PDF /\b\S*\.pdf\b/i > meta LOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD && > __LOCAL_HAS_PDF) > score LOCAL_PDF_VIA_THUNDERBIRD 6.0
A real person using Thunderbird cannot send you a pdf, or possibly even talk about a .pdf file with you... It has been observed that the user-agent header in these spams consistently claims to be a specific version of thunderbird. I have also noticed the same behavior in the past. You might want to add that to your rule to make it a little more focused. Also, having one "poison pill" rule is generally a bad idea. There are subject line patterns in the PDF spams that are fairly consistent and not similar to what most human correspondents would use. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) ----------------------------------------------------------------------- 6 days until The 38th anniversary of Apollo 11 landing on the Moon
