[Mimedefang] How to parse pdf files or pass them to spamassassin

Benoit Panizzon benoit.panizzon at imp.ch
Fri May 29 09:38:33 EDT 2015


Lately we have come across a new trick that is being used to try to infect 
email recipients with trojans.

A simple email is being sent, looking like it's comming from DHL or similar, 
about the tracking code for a parcel.

There is one PDF attachement.

The attachement has an official looking letter header from DHL and contains 
instructions how to track the parcel via DHL website. There is a clickable 
link in that PDF that points to the tracking service of the DHL Website.

But... The real link behind that link points to a website, from which a drive-
by infection is being tried and also offers a ZIP file containing an EXE file 
with a trojan to download.

By not sending the exe within a zip (which is easily blocked in the 
bad_filenames part of MIMEDefang) and not using the Link in a HTML email, the 
attacker is getting his emails past our MIMEDefang / SpamAssassin / Clamd 

So my idea to catch such emails would be:

=> Extract text from PDF and pass it to spamassassin to match blacklisted 
URI's within the PDF.

=> Is there a way to check if the displayed URL matches the Link URL behind it 
within a PDF File?

Has anyone already found such a solution?

Mit freundlichen Grüssen

Benoit Panizzon
I m p r o W a r e   A G    -    

Zurlindenstrasse 29             Tel  +41 61 826 93 07
CH-4133 Pratteln                Fax  +41 61 826 93 02
Schweiz                         Web  http://www.imp.ch

More information about the MIMEDefang mailing list