Thanks Thomas.
I agree with you. I would remove the killswitch from future versions of
the plugin.
I audited the last month of logs, and I found 11 domains for which this
locky test was triggered. All of them are financial companies like
banks and mortgage lenders. I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question. I'd have to audit every
single email to be sure. One is a major bank, the rest are regional or
even local. They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.
My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.
I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.
- Bob
On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
>I've added it to "good" and I'll see what happens.
Nothing changes! There is no 'good' check for executable attachments and
embedded executable JS code.
I released ASSP_AFC 4.56. It contains such a killswitch (general switch
off). It is hidden AND IT IS NONSENSE to use it.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test