G.W. Haywood wrote:
Hi Kris,
On Thu, 15 Mar 2018, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...
Would you be able to send me a few samples? Preferably with full headers.
I've been able to create logical (.ldb) variant signatures for nearly
all of the examples I've had reported thanks to suggestions from Steve
Basford, so I can't email them as the message would be blocked by our
outgoing AV scan...
So I've posted a .zip on my web space with four (small) more or less
representative examples of the class. Please note the full set of
variations cover, essentially, "long strings of symbols in the <style>
tag repeated many many many times". I have also seen specific variants
as large as ~5.4MB - aside from the individual lines tending to be
longer, and the total line count multiplied by ~20x or more, they share
the same general pattern as the smaller ones.
http://www.deepnet.cx/~kdeugau/clamtools/largespam.zip
These are only a problem in that:
a) they are horribly time-consuming to process through SpamAssassin,
although they're generally tagged when spot-checked by hand. And the
larger ones aren't passed to SA at all.
b) they are received in large bursts by a small number of recipients
(up to several hundred a day for a week or so at a time), and due to a)
the majority of them end up in the customer's Inbox instead of diverted
to their Spam folder. They contain no Javascript, links to viruses or
downloaders, or other formally "virus-y" content that I have noted.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
