That's what I'm going to do, but I don't know if BombRe mime decodes
attachments and scans inside of them.
FYI, this seems like a pretty bad outbreak. Colleagues at other
organizations (some really big ones too) are seeing this on their mail
systems this morning too.
On Tue, Oct 18, 2016 at 10:59 AM, cw <colin.war...@gmail.com> wrote:
> Can you stick it in bombRe for now to deal with it?
>
> On Tue, Oct 18, 2016 at 3:50 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > We're getting slammed with these now. All of the files have
> > <keyEncryptors><keyEncryptor
> > uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password";> in
> > them. Can we block based on content of a file??
> >
> > I'm guessing this is a new Locky, but now encrypted to scanners don't
> catch
> > them.
> >
> > On Tue, Oct 18, 2016 at 10:27 AM, K Post <nntp.p...@gmail.com> wrote:
> >
> > > I've seen a bunch of supposedly encrypted RTF files slip through today.
> > > The message body is typical spam, telling the user to open the
> important
> > > file, but message also tells the user the password for the file. I
> think
> > > these are created using Office's password protection feature and either
> > > renamed as RTF or saved as such (I didn't think you could do that)
> > >
> > >
> > > Any chance that AFC can block these?
> > >
> > > I didn't dare open a sample in Word, but I did inspect the file and see
> > > this block towards the bottom:
> > >
> > > <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> > > hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> > > encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> > > 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/
> > ><keyEncryptors><keyEncryptor
> > > uri="*http://schemas.microsoft.com/office/2006/
> > > <http://schemas.microsoft.com/office/2006/>*keyEncryptor/
> > password"><p:encryptedKey
> > > spinCount="100000" saltSize="16" blockSize="16" keyBits="256"
> > hashSize="64"
> > > cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> > > hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> > > encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> > > encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> > > s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> > > encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> > > keyEncryptor></keyEncryptors></encryption>
> > >
> > > VirusTotal has zero hits on the samples that I submitted, but if
> they're
> > > encrypted, that explains why...
> > >
> > > I just want to block ANY incoming encrypted document, including Office
> > > documents.
> > >
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
