Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - PDF Spam
  FAQ FAQ  Forum Search   Register Register  Login Login

PDF Spam

 Post Reply Post Reply
Author
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Topic: PDF Spam
    Posted: 27 June 2007 at 1:23pm

We are suddenly getting huge amounts of spam that is simply a pdf file.  We can not block PDF's as they are a common form of document as the spammers well know.  I am surprised this did not happen sooner.  Thoughts on how to correctly identify them and block?

Additional Info:
http://www.sophos.com/pressoffice/news/articles/2007/06/germ an-pdf-spam.html



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 27 June 2007 at 4:14pm
We're working on a new release that will scan inside PDFs just like we're currently scanning image files. Unfortunately we can't make any promises yet, we'll update this in a few days.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2007 at 11:37pm
Desperado,

We've just released SpamFilter v3.5.4.692 in the registered user area. It is a beta that is able to scan within PDF files and is successfully identifying the "stock spam" embedded in them. This new filter is enabled by default and inherits the same settings as the "standard" image filter.

Please note that this new release also includes several major internal improvements and bug fixes. In addition to the new PDF filter, the most notable change involves a bug we discovered with all the triggers in the database (see release notes below). To fix it, SpamFilter will automatically delete ALL triggers and recreate them when it is started for the first time.


// New to VersionNumber = '3.5.4.692';
{TODO -cNew : Added new filter to scan images within PDF attachments for spam}
{TODO -cFix : In SFE, triggers in the database were not identifying multiple updates to the same tables, if they occurred within 5 seconds of each other. A DB patch SQL script will be automatically downloaded and executed once by SpamFilter upon startup. The script will delete all triggers and recreate them}
{TODO -cFix : In installations with multiple SpamFilter Enterprise, changes made directly against the database may not be visible by other servers}
{TODO -cFix : A specific set of circusmtances involving "unfiltered Emails" with the "tag" or "tagsubject" modifiers, and multiple, separate emails within the same SMTP session, could cause emails to be delivered to some unfiltered users if a recipient is in the unfiltered list}
{TODO -cFix : Exception occurred during TFilterObject.ReadFilterFromFile (2): Access violation at address 00401981 in module 'SpamFilterSvc.exe'.}
{TODO -cFix : SpamFilter Enteprise GUI *appeared* frozen during startup when processing several customized domain. The ativity windows now scrolls to show current status during startup}
{TODO -cNew : When adding duplicate entries in the blacklist/whitelists, SpamFilter will automatically remove the duplicate from the database as well, not just in the GUI as before (except for MAPS and Keywords blacklists)}



Edited by LogSat
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2007 at 10:50am
Roberto, the new pdf-scanning functionality is working like a peach!  I am extremely pleased (and so are our users). 

Stephen
Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2007 at 10:42am

Has anyone noticed a drop off on the effectiveness of this? I was catching like 25 a day and now its not catching any. Why is that? I also notice in the log it says Scanning PDF for spam:    with no filename after it. Im guessing all those are definately spam.

Is there anything I can do about these? Any suggestions are welcome.

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2007 at 11:35am
OK ... I am finding it is catching as many as it has been catching but suddenly some new ones are getting through.  I am thinking it is the dimentions of the image but am not sure.  I emailed support prior to seeing this post and have a pdf sample ready for roberto to look at if he thinks it will do any good.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2007 at 11:51am
I have many samples as well that I can contribute :)
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2007 at 12:00pm
Got the sample. The issue is that the filter we've lately developed scans for *images* within PDF files, and then applies our current image filter to them to see if they're spam. In the sample provided (we've seen several ourselves), the PDF contains *text*, not images. We'll be releasing a new version shortly that will allow you to scan PDFs as well for keywords, in addition to the email's body.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2007 at 5:56pm
The pdf spam coming in to me contain encrypted text based pdf's with full security turned on. Are these still being scanned, and can you even scan these for keywords?

Thermo
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2007 at 8:32pm
If you can forward us a copy of one such email we'll be able to find out more.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2007 at 10:15pm
I sent you an email with the pdf attached, this pdf has 128 bit encryption enabled per the document properties in Adobe reader.

Thermo
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2007 at 11:45pm
Thermo,

We received the PDF file. Yes, even if they are encrypted, they are still being scanned successfully. I will email you with additional details.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.094 seconds.