RE: PDF Spam
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: PDF Spam - 15.Aug.2007 8:19:50 AM
|
|
|
cliston
Posts: 2
Joined: 6.Aug.2007
Status: offline
|
quote:
The filter isn't blocking any of the PDF spam anymore. I moved the keyword filter to be the first check and it didn't catch one message. Some are picked up by other filters after, but some still make it through. quote:
ORIGINAL: pardizzone
The filter isn't blocking any of the PDF spam anymore. I moved the keyword filter to be the first check and it didn't catch one message. Some are picked up by other filters after, but some still make it through.
Same thing here. Most of them are being caught by the Bayeian in my case, but some are still getting through.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 8:21:57 AM
|
|
|
walterk1
Posts: 27
Joined: 19.Sep.2004
From: Atlanta, GA
Status: offline
|
Our PDF spam is getting through as of 8/13. Sandro - can you share with the forum or send me the details via email?
BTW - the link in Nicks post (8/13/07 11:26)http://forums.gfi.com/PDF_Spam_updates/m_900751436/tm.htm - does not point to the registry fix. (oops it does have registry fix)
However, the PDF spam that is not being blocked is under 30k - what is happening to my GFI system that it is now failing.
Walter
< Message edited by walterk1 -- 15.Aug.2007 8:24:03 AM >
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 9:04:02 AM
|
|
|
dialexia
Posts: 59
Joined: 21.Dec.2005
Status: offline
|
Damn, I just had two pdf emails get through today (forwarded to the Newsenders folder):(
Does this mean spammers have figured out a new techinque to bypass anti-spam checking programs?
Please say it aint so!!!
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 9:53:03 AM
|
|
|
pjacob
Posts: 25
Joined: 19.Jun.2006
Status: offline
|
we are having the same problem.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 10:16:17 AM
|
|
|
fishandring
Posts: 3
Joined: 15.Aug.2007
Status: offline
|
I think maybe the patch just didnt work. We are getting PDF spam as small as 3k right through the filter.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 10:49:30 AM
|
|
|
PhilH
Posts: 41
Joined: 19.Jun.2004
From: Dearborn, MI
Status: offline
|
The patch was working fine for us until last week. Something's changed.
Been a couple of days since we've heard from Nicks (Aug 13th)
http://forums.gfi.com/fb.aspx?m=900752580
where he said they're looking into it. He also said in another post (Aug 9th)
http://forums.gfi.com/fb.aspx?m=900752434
that GFI is looking into all types of rapidly changing attachment Spam.
I can sort of understand why they don't publicly want to divulge any details because I gotta believe the spamming programmers are lurking on these forums. But it would nice if they could just say - we know what's going on and will have a new patch soon. I can't believe that GFI doesn't have any honeypots setup so they can trace, track, debug, etc this new activity as quickly as we all are seeing it.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 11:15:14 AM
|
|
|
psilberman
Posts: 11
Joined: 1.May2006
Status: offline
|
FWIW, I sent a zip of a few of the emails that snuck past the pdf filter along with the support.zip for my email support case. Hopefully, it could help with a solution to why some of the pdf is getting through.
One odd thing that I found is that if I sent the spam pdf attachment to myself from a non whitelisted account, the headerchecking module caught it. My guess is that the spammers do something to the email header that lets it slip through since the attachment was the same and there was no message subject or body.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 3:16:24 PM
|
|
|
pjacob
Posts: 25
Joined: 19.Jun.2006
Status: offline
|
we are having the same problem.
we are even getting the same pdf's now in .gif's as well.
we are even seeing new variants of the "eCard" spam mail.
|
|
|
|
|
RE: PDF Spam - 15.Aug.2007 4:24:38 PM
|
|
|
Chazers18
Posts: 12
Joined: 13.Aug.2007
Status: offline
|
From what i found i Jacked the SPF (Sender Policy Framework) to the max and placed it high on the Module list that cut most of them down
|
|
|
|
|
RE: PDF Spam - 16.Aug.2007 10:22:48 AM
|
|
|
forward77
Posts: 2
Joined: 9.Aug.2007
Status: offline
|
Same thing here, the .pdf patch worked for 3 days or so, stopping almost all of them. now we are getting almost the same amount getting past the filters as before the patch. getting to the point where i'm getting pressure to start looking into other products that will function more effectively.
|
|
|
|
|
RE: PDF Spam - 17.Aug.2007 5:04:13 AM
|
|
|
sandro
Posts: 1345
Joined: 26.Jul.2007
Status: offline
|
Hello
Your issues are currently being handled by e-mail support. The reference number(s) used are:
pjacob - CAS-25917-K49Q (no contact from pjacob)
reemster- CAS-25906-G79D (no contact from reemster)
cliston - CAS-25907-0P8I (restarted Exchange and MailEssentials was working)
walterk1 - CAS-25909-9E8Q (walterk1 advised us that their installation is working)
dialexia - CAS-25912-26QB (no contact from dialexia)
fishandring - CAS-25913-F833 (no contact from fishandring)
chazers18 - CAS-25915-OT7S (resolved with latest build 20070810)
forward77 - CAS-25916-TY8K (no contact from forward77)
NOTE: We have sent you an email on the address that you have registered over the forums with.
Should you require any updates or further information, kindly contact us using the support form at the following link:
http://support.gfi.com/supportrequestform.asp
Thanks
< Message edited by sandro -- 3.Sep.2007 5:32:07 AM >
_____________________________
Sandro Pace
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: PDF Spam - 17.Aug.2007 6:27:29 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi,
We have analyzed the files and information that have been sent to us. It seems there is a new type of PDF spam which is circumventing the current PDF spam – attachment size detection.
The current implementation will first check the Content/Type of the attachment. The previous waive of spam always used "application/pdf". If the Content Type is "application/pdf", MailEssentials will check the size of the PDF attachment. Both checks were required to minimize false positives.
The new waive are using a new Content/Type, thus avoiding the detection by the PDF spam check.
We are planning to release a new build early next week which will help in the detection of spam with attachments. More information will be provided at a later stage.
Thank you for your assistance.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: PDF Spam - 17.Aug.2007 2:03:54 PM
|
|
|
gpinson
Posts: 214
Joined: 2.Sep.2003
From: Denver, CO
Status: offline
|
That's okay, I am starting to see them use fdf extensions, xls and have even seen word docs in zip fils.
What fun what fun
|
|
|
|
|
RE: PDF Spam - 20.Aug.2007 5:21:31 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi all,
In a previous post, we have advised to start using l2.apews.dnsbl.uceprotect.net. As per http://www.apews.org/?page=news, this list has been closed, and is currently returning positive responses to all the requests which are made to the list.
Because of this, you need to ensure that the list has been removed from your MailEssentials configuration. If you had l2.apews.dnsbl.uceprotect.net in your DNS Blacklists list, you should check if you received any false positives from this list during the weekend (after 16/08/2007).
We are currently looking at alternatives to recommend.
< Message edited by Nicks -- 20.Aug.2007 5:30:30 AM >
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: PDF Spam - 20.Aug.2007 7:23:02 AM
|
|
|
walterk1
Posts: 27
Joined: 19.Sep.2004
From: Atlanta, GA
Status: offline
|
Nicks - thanks for the update on PDF spam and the DNS blacklist changes. I had the apews list in my checklist. I am guessing that I am at risk of having lost that email. I delete DNS blacklist email.
Can you email, or post, a good list of DNS blacklist entries? I have 2 now - sbl-xbl.spamhaus.org and bl.spamcop.net. How about list.dnsbl.org?
Walter
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
