I have to mention how pleased we are with the sanesecurity clamav tool. We have always used spamassassin with many custom rule sets, dcc and rbls, with clamd for virus scanning.
We have been getting a large number (~4,500 per day) of these PDF and other attachment spams making it through SA, even with PDFinfo and everything else we could throw at them. After adding the sanesecurity sigs to clamd last week not one PDF has made it through. And since clamd unpacks and examines every attachment anyway it is no additional load. In fact, due to the messages not hitting SA it probably reduced load slightly. John P. Scully President/CTO iSupportISP LLC 33 North high st Suite 1000 Columbus, OH 43215 614-586-4040 614-226-6110 Mobile 614-586-4044 Fax [EMAIL PROTECTED] Your Private Label Internet and Digital Phone Provider ----- Original Message ----- From: "Robert Schetterer" <[EMAIL PROTECTED]> To: <users@spamassassin.apache.org> Sent: Monday, July 23, 2007 5:15 AM Subject: Re: Now its zip attachments ^^ > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Robert Schetterer schrieb: > > Matus UHLAR - fantomas schrieb: > >>> Hendrik Helmvoigt wrote: > >>>> This night it seems like we're beeing spammed again by xml documents, > >>>> but this time neatly packed into a zipfile: > >>>> > >>>> I'm really excited whats going to happen next. Maybe psd files embedded > >>>> in pdf and then rar'ed. > >>>> > >>>> And i'd still like to meet the person that goes through all that trouble > >>>> to read that spam, and then performs the action that the spammer wants > >>> >from him. > >> On 22.07.07 18:47, John Rudd wrote: > >>> As I've said for years: we should just ban attachments. They're not > >>> really useful for anything that can't be done a better way. Which only > >>> leaves them being useful for attacks of one form or another. > >> some people just want, some just need attachments. I think that if a filter > >> (word plugin is used with different meaning in SA) would preprocess/convert > >> those attachments to text, SA could just run standard rules over it and > >> catch unwelcome words, do BAYES check over it, etc etc. > > > >> So the words "dear winner" would match no matter if stored in text, HTML, > >> .doc (tnef), gif or pdf ... > > > >> Is there any such plan for SA? > > Hi all, > > meanwhile > > http://sanesecurity.co.uk/clamav/ > > catches also these zip spam > > i forgot > read the story here > > http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-to-zipped-xls-stock.html > > and thx to steve for its work > > - -- > Mit freundlichen Gruessen > Best Regards > > Robert Schetterer > > https://www.schetterer.org > Germany > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFGpHGXfGH2AvR16oERAtV7AJ4+brYiSRH6Vw2lPVhJyKQ5tmUhlgCfWk77 > QiSPZGpUdTKEWesgbfVh7So= > =W6Xw > -----END PGP SIGNATURE----- > >