[Mimedefang] How to parse pdf files or pass them to spamassassin
Benoit Panizzon
benoit.panizzon at imp.ch
Fri May 29 09:38:33 EDT 2015
Hello
Lately we have come across a new trick that is being used to try to infect
email recipients with trojans.
A simple email is being sent, looking like it's comming from DHL or similar,
about the tracking code for a parcel.
There is one PDF attachement.
The attachement has an official looking letter header from DHL and contains
instructions how to track the parcel via DHL website. There is a clickable
link in that PDF that points to the tracking service of the DHL Website.
But... The real link behind that link points to a website, from which a drive-
by infection is being tried and also offers a ZIP file containing an EXE file
with a trojan to download.
By not sending the exe within a zip (which is easily blocked in the
bad_filenames part of MIMEDefang) and not using the Link in a HTML email, the
attacker is getting his emails past our MIMEDefang / SpamAssassin / Clamd
installation.
So my idea to catch such emails would be:
=> Extract text from PDF and pass it to spamassassin to match blacklisted
URI's within the PDF.
=> Is there a way to check if the displayed URL matches the Link URL behind it
within a PDF File?
Has anyone already found such a solution?
Mit freundlichen Grüssen
Benoit Panizzon
--
I m p r o W a r e A G -
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 07
CH-4133 Pratteln Fax +41 61 826 93 02
Schweiz Web http://www.imp.ch
______________________________________________________
More information about the MIMEDefang
mailing list