PDFInfoPlugin

This plugin helps to detect spam using attached PDF files

Example usage

loadplugin      pad.plugins.pdf_info.PDFInfoPlugin

body            PDF_MIME_COUNT_1        eval:pdf_count(1,3)
describe        PDF_MIME_COUNT_1        Message contains at least 1 PDF file, maximum 3.

body            PDF_IMAGE_COUNT         eval:pdf_image_count(3, 10)
describe        PDF_IMAGE_COUNT         Total number of images in PDF is between 3 and 10

body            PDF_PIX_COV             eval:pdf_pixel_coverage(100, 450)
describe        PDF_PIX_COV             Contains between 100 and 450 pixel in images

body            PDF_NAMED               eval:pdf_named('some_file.pdf')
describe        PDF_NAMED               Check if a pdf named "some_file.pdf" exists in the message.

body            PDF_NAMED_REGEX         eval:pdf_named_regex('/^(?:my|your)test\.pdf$/')
describe        PDF_NAMED_REGEX         Match if pdf is "mytest.pdf" or "yourtest.pdf"

body            PDF_MATCH_MD5           eval:pdf_match_md5('C359F8F89B290DA99DC997ED50117CDF')
describe        PDF_MATCH_MD5           Match with the PDF with that md5 hash

body            PDF_FUZZY_MD5           eval:pdf_match_fuzzy_md5('7340821445D975EEF6F5BDE2EC257900')
describe        PDF_FUZZY_MD5           Match if md5hash is in the fuzzy md5 hashes

body            PDF_MATCH_DETAIL        eval:pdf_match_details('author', '/^mobile$/')
describe        PDF_MATCH_DETAIL        Match if "mobile" is the author of the PDF file.

body            PDF_IS_ENCRYPTED        eval:pdf_is_encrypted()
describe        PDF_IS_ENCRYPTED        Match if one of the PDF files is encrypted.

body            PDF_IS_EMPTY_BODY       eval:pdf_is_empty_body(100)
describe        PDF_IS_EMPTY_BODY       Interested in PDF files larger than 100 bytes.

Usage

This plugin only has EVAL methods. See Eval Rule for general details on how to use such methods.

Options

None

EVAL rules

Tags

None