[Maia-users] PDF spam solutions

Kurt Buff KBuff at zetron.com
Wed Aug 15 20:44:16 PDT 2007 

Robert LeBlanc wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Like the rest of you, I'm sure, I've been receiving a glut of PDF spam
> lately, and I've been experimenting with various tactics for 
> curbing the
> onslaught.  Some tactics work better than others, naturally, so I
> thought I'd share my results here.
> 
> 
> (1) SpamAssassin core rules
> 
> To deal with PDF spam, the SpamAssassin developers added a 
> new core rule
> called TVD_PDF_FINGER01, which identifies emails that have 
> empty bodies
> but contain PDF attachments.  It works well, but its default score of
> 1.0 is too low to make it the only tool for the job.  Increasing the
> score isn't really a good idea, though, since a lot of business users
> regularly send PDF attachments with empty mail bodies, and this could
> lead to false positives in a hurry.
> 
> You can certainly get this new rule for any version of SpamAssassin
> (newer than 3.1.1) using sa-update, but now that the 3.2.x series
> appears to have stabilized I'd also recommend that you 
> upgrade to 3.2.3
> to take advantage of the latest rulesets.

I'm not finding this core rule on my system, and am wondering what I'm doing
incorrectly. I'm running SpamAssassin 3.1.8_1 from ports on FreeBSD, and I
run sa-update with the following channels:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net


I'll be upgrading to 3.2.3 soonish, but wanted to know how to get this going
in the interim.

I'm also going to be implementing the sanesecurity sigs for clamav - that
should be really helpful too.

Kurt

More information about the Maia-users mailing list