procmail
[Top] [All Lists]

Re: PDF spam

2007-07-22 12:10:14
On Sun, Jul 22, 2007 at 02:02:17PM -0400, fleet(_at_)teachout(_dot_)org wrote:
Look at the first five (or so) characters in base64 encoding.  Encoding
for a PDF file seems to start always with 'JVBER'.  One can also identify
GIF, JPG, PNG, etc. the same way.

So something like:

:0B
* ^JVBER
PDF-junk

Yes, but I find that unnecessary.  Look above that:

  --------------020204060805040202060003
  Content-Type: application/pdf;
   name="Agreement.pdf"
  Content-Transfer-Encoding: base64
  Content-Disposition: inline;
   filename="Agreement.pdf"
  
  JVBERi0xLjEKJeLjz9MKMSAwIG9iaiAKPDwKL1BhZ2VzIDIgMCBSCi9UeXBlIC9DYXRhbG9nCj4+


Easier to just kill based on "name=.*\.pdf".

Also, you could ensure that the file even has an attachment
before you bother grepping the body.  Saves a lot of overhead
that way.

   :0:
   * 9876543210 ^0  ^Content-Type:.*(attachment|multipart)
   * 9876543210 ^0  ^FROM_MAILER
   * B ?? ^Content-.*^[         ]+filename=".*[.]pdf"
   PDF-junk


In Virus Snaggers(tm), I simply added PDF to the list of
$NASTY_EXT in vsnag.myvars, and it was over.  Vsnag runs
after my whitelists.

Dallman
____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>