Leythos

In article <TVqyi.9888$7e6.7855@bignews4.bellsouth.net>, jen@example.com
says...
> So you don't really have anything(other than the BitDefender generic
> catch) to back up your statement that the PDF SPAM runs are anything
> other than SPAM. You didn't even submit the suspects to Virus Total or
> Jotti. hmmm... not very convincing

Sorry, between blocking attachements at the firewall, passing all
attachments through 5 AV products, blocking email sent from many
subnets, etc... I just don't even bother with checking them any more.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

David W. Hodgins

On Mon, 20 Aug 2007 20:20:18 -0400, jen <jen@example.com> wrote:

> Could you elaborate(and provide a cite) on this "new PDF exploit" you
> read about a couple weeks ago that this so-called malware that only

http://www.cve.mitre.org/cgi-bin/cve...=cve-2007-3387

Affects many open source implementations of pdf readers. Not acroread,
afaik.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Virus Guy

jen wrote:

> Could you elaborate(and provide a cite) on this
> "new PDF exploit" you read about a couple weeks ago

Here is a list of (all?) known Acrobat vulnerabilities:

http://secunia.com/search/?search=acrobat&sort_by=date

The most recent being reported in March.

It could be that it was only recently that some of these began to be
found in circulation.

I'm assuming that an acrobat vulnerability = PDF exploit

Virus Guy

kurt wismer wrote:

> and gateway filters can prevent the spam from reaching entire
> domains...

And gateway filters are more likely to run heavy-duty, sophisticated
filters that can quickly stop even a PDF spam run.


> > Flash content is (usually) auto-rendered on a web page. PDF
> > content is NOT auto-rendered as a component of a page being
> > viewed.
>
> ??? ok, so pdf content is auto-rendered as the entire page
> instead of just a portion, is that distinction really
> significant?

I've never seen PDF content being auto-rendered either as it's own
page or as a component of page unlike other components of a typical
web page (ie like html code, java script, JPG or GIF images, etc).

In my experience, PDF material (PDF files) are always presented only
as links that require the user to click on them in order to view them.

What browser has the option of rendering PDF files "in-line" ?

> > I could say that people who knowingly install acrobat on
> > their systems probably belong to the demographic of people
> > who are least likely to act on or respond to spam.
>
> i'm going to go out on a limb here and guess that you believe
> that pdf's are only used by a technically sophisticated minority
> rather than the majority...

I believe that those that do go out and install a pdf reader are less
likely to be spam responders (or spam readers) than those that don't
have a pdf reader on their computer.

I've never said that only a technically-sophisticated minority are PDF
users/readers (that's your embellishment). However, I do believe that
was more true in the past than it is now. Arguably Google has played
a role in making the PDF format more common and exposing it to more
people by presenting PDF material in it's search results.

> this in spite the fact that pdf long ago became the de facto
> standard for printable documents from government forms to online
> product documentation to press releases and reports and to bus
> schedules and route maps (not to mention the fact that it's a
> major e-book format, that sample chapters from conventional
> books are released in that format,

That it is a common format for many useful or important documents it
not the issue.

The fact remains that some (or many) home computer users may never use
their computers in such a was that would see them needing to obtain or
open a PDF file, much less installing a PDF reader if not already
present on their system.

> and that it comes pre-installed on machines from dell)...

Clearly this conversation pertains to situations (or the implications)
of a PDF reader NOT being pre-installed by a vendor, and certainly
it's inescapable that Microsoft has not seen fit to include a PDF
reader as part of their OS's despite the universality of the format as
you point out.

> if you *really* believe that only a technically sophisticated
> minority are likely to be consumers of ...

Don't take this thread off on a tangent by inventing hyperbole.

Virus Guy

"David W. Hodgins" wrote:

> http://www.cve.mitre.org/cgi-bin/cve...=cve-2007-3387
>
> Affects many open source implementations of pdf readers.

Is there a date on the above-quoted CVE?

Does secunia list vulnerabilities according to file type or file
format (as opposed to application programs or operating systems)?

David W. Hodgins

On Tue, 21 Aug 2007 11:46:44 -0400, Virus Guy <Virus@Guy.com> wrote:

> "David W. Hodgins" wrote:
>
>> http://www.cve.mitre.org/cgi-bin/cve...=cve-2007-3387
>> Affects many open source implementations of pdf readers.
>
> Is there a date on the above-quoted CVE?
From the above page ...

BUGTRAQ:20070813 [SECURITY] [DSA 1354-1] New gpdf packages fix arbitrarycode execution
Candidate assigned on 20070625

So, the fixes were released August 13th, for a bug assigned on June 25th..

> Does secunia list vulnerabilities according to file type or file
> format (as opposed to application programs or operating systems)?

The vulnerabilities, are in the software, not the file format, so
it wouldn't make sense to list them by file type.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

jen

"David W. Hodgins" <dwhodgins@nomail.afraid.org> wrote in message
newsp.txdxe2g5a3w0dx@hodgins.homeip.net...
On Mon, 20 Aug 2007 20:20:18 -0400, jen <jen@example.com> wrote:
>> Could you elaborate(and provide a cite) on this "new PDF exploit"
>> you
>> read about a couple weeks ago that this so-called malware that only
> http://www.cve.mitre.org/cgi-bin/cve...=cve-2007-3387
> Affects many open source implementations of pdf readers. Not
> acroread,
> afaik.

Affects only *nix PDF viewers...

-jen

jen

"Virus Guy" <Virus@Guy.com> wrote in message
news:46CB003D.DE52B477@Guy.com...
> jen wrote:
>> Could you elaborate(and provide a cite) on this
>> "new PDF exploit" you read about a couple weeks ago
> Here is a list of (all?) known Acrobat vulnerabilities:
> http://secunia.com/search/?search=acrobat&sort_by=date
> The most recent being reported in March.

That's a SunOS problem...

> It could be that it was only recently that some of these began to be
> found in circulation.
> I'm assuming that an acrobat vulnerability = PDF exploit


-jen

kurt wismer

Virus Guy wrote:
> kurt wismer wrote:
>
>> and gateway filters can prevent the spam from reaching entire
>> domains...
>
> And gateway filters are more likely to run heavy-duty, sophisticated
> filters that can quickly stop even a PDF spam run.

round and round we go... i've already said that the spammers went with
pdf due to novelty... i never said it was a technique that was going to
be effective in the long term...

>>> Flash content is (usually) auto-rendered on a web page. PDF
>>> content is NOT auto-rendered as a component of a page being
>>> viewed.
>> ??? ok, so pdf content is auto-rendered as the entire page
>> instead of just a portion, is that distinction really
>> significant?
>
> I've never seen PDF content being auto-rendered either as it's own
> page or as a component of page unlike other components of a typical
> web page (ie like html code, java script, JPG or GIF images, etc).
>
> In my experience, PDF material (PDF files) are always presented only
> as links that require the user to click on them in order to view them.
>
> What browser has the option of rendering PDF files "in-line" ?

again, round and round we go... the acrobat reader includes a browser
plugin that allows you to read pdf files right in your browser...

>>> I could say that people who knowingly install acrobat on
>>> their systems probably belong to the demographic of people
>>> who are least likely to act on or respond to spam.
>> i'm going to go out on a limb here and guess that you believe
>> that pdf's are only used by a technically sophisticated minority
>> rather than the majority...
>
> I believe that those that do go out and install a pdf reader are less
> likely to be spam responders (or spam readers) than those that don't
> have a pdf reader on their computer.

so you choose to believe that spam 'users' are less likely to be pdf
'users' to a significant enough degree to make this distinction worth
pursuing... somehow spam 'users' don't need government forms or product
documentation or any of those other things that require a pdf viewer...

i think you're reading too much into the fact that they respond to
spam... i see no reason why they should be significantly different from
the average user as far as pdf reader deployment goes...

> I've never said that only a technically-sophisticated minority are PDF
> users/readers (that's your embellishment).

it's a reasonable 'embellishment' as only the technically
unsophisticated would respond to spam...

> However, I do believe that
> was more true in the past than it is now. Arguably Google has played
> a role in making the PDF format more common and exposing it to more
> people by presenting PDF material in it's search results.

true, but it generally allows the user to 'view as html' and as such
doesn't necessarily drive people to install pdf readers...

>> this in spite the fact that pdf long ago became the de facto
>> standard for printable documents from government forms to online
>> product documentation to press releases and reports and to bus
>> schedules and route maps (not to mention the fact that it's a
>> major e-book format, that sample chapters from conventional
>> books are released in that format,
>
> That it is a common format for many useful or important documents it
> not the issue.
>
> The fact remains that some (or many) home computer users may never use
> their computers in such a was that would see them needing to obtain or
> open a PDF file, much less installing a PDF reader if not already
> present on their system.

the fact that it is a common format for many useful or important
documents means that many people are going to be users... the fact that
it has such a wide variety of uses means that it will have a broad pool
of users rather than being arbitrarily limited to more narrow subsets of
the population...

>> and that it comes pre-installed on machines from dell)...
>
> Clearly this conversation pertains to situations (or the implications)
> of a PDF reader NOT being pre-installed by a vendor,

no, clearly this conversation pertains to how *insignificant* those
situations are to the spammer... the spammer chooses a format that will
get his message into as many inboxes as possible so as to give him the
greatest chance of having it viewed - so long as neither filters nor
people expect spam in pdf form and so long as people think pdf is a safe
format they will click just to figure out what the heck it is... it's
usefulness will be short lived but that's why many have already moved on
to other formats...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy

kurt wismer wrote:

> > I've never seen PDF content being auto-rendered either as it's
> > own page or as a component of page unlike other components of
> > a typical web page (ie like html code, java script, JPG or
> > GIF images, etc).
> >
> > In my experience, PDF material (PDF files) are always
> > presented only as links that require the user to click on
>> them in order to view them.
> >
> > What browser has the option of rendering PDF files
> > "in-line" ?
>
> again, round and round we go... the acrobat reader includes a
> browser plugin that allows you to read pdf files right in your
> browser...

Why are you incapable of understanding a simple concept?

I'm trying to point out to you that PDF code or PDF files are not
automatically rendered in-line as a component of a web page and that
they must be clicked on by the user in order to be rendered. That
they can THEN be rendered within the browser by a plugin is
irrelavent.

I'll try to make this simple for you.

If I view a web page that contains code to display a graphic bitmap
(say, a jpeg or gif file) I will see the bitmap when I view the web
page. I will NOT see a link to the bitmap that requires me to click
on it to see it (unless that's how the web-author wants it to work).

In contrast, PDF files are never rendered "in-line", automatically, as
part of webpage content like a gif or jpeg bitmap.

> so you choose to believe that spam 'users' are less likely to
> be pdf 'users' to a significant enough degree to make this
> distinction worth pursuing...

The home PC is common enough to be used by a wide range of people for
a wide range of reasons. When we dissect and analyze things at this
level, in the absense of other information, if I just had something as
basic as the presence or absense of an installed pdf reader, if I had
to form an opinion as to who is more likely to be spam-friendly, I
would say it's the people without a PDF reader installed.

> somehow spam 'users' don't need government forms or product
> documentation or any of those other things that require a
> pdf viewer...

Perhaps those people are kids or teenagers with PC's in their
bedrooms. Perhaps they're senior citizens who have their kids do
their taxes for them. I would expect (more often than not) both
groups to not have PDF readers installed on their computers (unless it
came pre-installed on them anyways). I would expect both groups to be
more naive when it comes to spam as opposed to other groups - more
likely to at least open and read it.

> i think you're reading too much into the fact that they
> respond to spam... i see no reason why they should be
> significantly different from the average user as far as
> pdf reader deployment goes...

If the lack of an installed PDF reader on a system is an indication of
a new or novice computer user, then that demographic is also more
likely to be unfamiliar with spam in all it's forms and appearances,
and will (over time) presumably install a PDF reader on their system,
and just as likely over time to recognize and ignore spam.

Again, it's not like I'm saying that the presence or absense of a PDF
reader on a given system is "the gold standard" reference for who will
be a spam reader/responder.

I think we agree that resorting to the PDF format may be better (in
the short term) for spammers to get their spam through to end users,
but it's not a desirable format to insure they actually see the
payload.

I'm going an extra step by saying that systems with PDF readers on
them are more likely to be owned and operated by those that are (even
slightly) more likely to recognize and delete spam without even
reading it.

> > Arguably Google has played a role in making the PDF
> > format more common and exposing it to more people by
> > presenting PDF material in it's search results.
>
> true, but it generally allows the user to 'view as html'
> and as such doesn't necessarily drive people to install
> pdf readers...

I guess you like to argue with everything I say?

Fine. Here's a counter-argument.

The "view as html" is a very poor substitute vs viewing the original
PDF document, so I wouldn't expect a given user to persistently view
PDF files as html for very long before deciding to install a PDF
reader.

> the fact that it is a common format for many useful or
> important documents means that many people are going to
> be users...

So what are you saying?

That the number of systems currently without an installed PDF reader
is zero?

> the fact that it has such a wide variety of uses means
> that it will have a broad pool of users

You're now arguing that a PDF reader is likely to be installed on the
majority of systems. I'm not disputing that. I would tend to agree,
and the fact that it comes pre-installed by some large vendors
certainly helps that argument.

But I'm betting that there are systems out there that don't have it
installed.

If you know of any hard stats on this, then post them here. Here's
one:

http://www.planetpdf.com/forumarchive/86169.asp

> > Clearly this conversation pertains to situations (or the
> > implications) of a PDF reader NOT being pre-installed by
> > a vendor,
>
> no, clearly this conversation pertains to how *insignificant*
> those situations are to the spammer...

Isin't that an implication of whether or not a PDF reader is installed
(by the vendor)? Which is what I said above, to which you answered
"no" ?

> the spammer chooses a format that will get his message into
> as many inboxes as possible ...

That, and the rest of that paragraph, is mostly obvious.

I don't buy the argument that PDF spam has a "clickability" advantage
that makes it (even slightly) more likely for the average reader to
open it just because it's a pdf. If that were true, we would be
seeing more executable attachments masquerading as PDF attachments.