[Mimedefang] How to parse pdf files or pass them to spamassassin
G.W. Haywood
mimedefang at jubileegroup.co.uk
Fri May 29 12:27:33 EDT 2015
Hi there,
On Fri, 29 May 2015, Benoit Panizzon wrote:
> ...
> => Is there a way to check if the displayed URL matches the Link URL behind it
> within a PDF File?
>
> Has anyone already found such a solution?
> ...
Perhaps we have not seen any of these attacks because the messages
fail our SPF checks:
8<----------------------------------------------------------------------
laptop3:~$ >>> dig -t txt dhl.com
; <<>> DiG 9.9.5-9-Debian <<>> -t txt dhl.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27272
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dhl.com. IN TXT
;; ANSWER SECTION:
dhl.com. 3600 IN TXT "MS=ms26628098"
dhl.com. 3600 IN TXT "EdxElN/3sVlFjzSKXxxVKGq+IYxdS4pSMWQbt6ywwM3oTAiYPbNIbchNR6Ao9PwGUlroQGmq8BtXCYUAUXsfAg=="
dhl.com. 3600 IN TXT "v=spf1 include:dpdhl._spf.dhl.com include:3a._spf.dhl.com include:3b._spf.dhl.com include:3c._spf.dhl.com include:3d._spf.dhl.com include:3e._spf.dhl.com include:3f._spf.dhl.com include:mrsc._spf.dhl.com include:e2ma.net ~all"
;; AUTHORITY SECTION:
dhl.com. 172799 IN NS ns6.dhl.com.
dhl.com. 172799 IN NS ns4.dhl.com.
;; ADDITIONAL SECTION:
ns4.dhl.com. 172799 IN A 165.72.192.16
ns6.dhl.com. 172799 IN A 199.40.254.166
;; Query time: 457 msec ...
8<----------------------------------------------------------------------
Note the third TXT record above, which begins with "v=spf1".
For this sort of attack, if people have implemented SPF properly it is
not necessary to toil over Perl scripts.
Incidentally we treat '~all' and '-all' in the same way.
--
73,
Ged.
More information about the MIMEDefang
mailing list