Hi Eric,
On Tue, 22 Sep 2020, G.W. Haywood via clamav-users wrote:
On Tue, 22 Sep 2020, Eric Tykwinski wrote:
I started writing my own, but of course I'm not catching them all.
If you could let me have some samples (complete messages) I could take
a look to see what I can do with my milter. If you agree I'd let you
have a private mail address to which you'd send an encrypted archive,
and we'd exchange the password by some other means.
I see from the logs that you replied privately to my list address.
That won't normally work I'm afraid. My list address only accepts
list mail, but I've whitelisted you now (from _your_ list address to
_my_ list address) so if you try again you might have more luck. But
no promises, there are other defences you might still trip over. :)
Are these Emotet mails all coming from Microsoft servers? According to
our logs, for quite some time we've been rejecting steadily increasing
amounts of cr@p from AS8075 but recently it's been staggering. Mostly
just a few different original mail pieces sent from all over the place.
At a guess, thousands of script kiddies are exploiting Windows domains
which have not yet been patched for the ZeroLogon vulnerability. Some
of them don't seem to speak English terribly well. That may be a clue
to stopping the bulk of them - look at subject lines.
milter=> SELECT * FROM (SELECT timestamp,ip,country_code AS "CC",subject,
rank() OVER (PARTITION BY subject ORDER BY timestamp) AS r FROM connections
WHERE timestamp>'2020-01-01' AND asnum = 8075) AS x WHERE r=1 ORDER BY ...
timestamp | ip | CC | subject
-----------------+-------------------------+----+--------------------------------------------------------------------------------------
2020-08-10 10:28| 40.107.15.45 | IE | Concerning your domain name
2020-08-15 06:27| 40.107.220.128 | US | Re: BELOVED -15/08/2020
2020-08-16 10:21| 2a01:111:f400:7e8d::830 | US | Inheritance
2020-08-22 15:39| 40.92.42.108 | US |
2020-09-03 12:33| 51.120.94.141 | NO | Votre colis est disponible
ð\u009F\u0093¦
2020-09-12 20:22| 40.92.253.37 | SG | Here is All My Body Here
erottiourocal
2020-09-14 08:46| 40.92.17.93 | AT | PEDIDO DE CREDITO
PERSONALIZADO
2020-09-15 11:24| 40.92.253.16 | SG | Take Your Transfer by ID:
332235571
2020-09-15 11:24| 40.92.16.90 | NL | Take Your Transfer by ID:
955735
2020-09-17 17:34| 40.92.42.55 | US | Active Account Payment -
$9378.96 Here
2020-09-17 17:35| 40.92.21.76 | US | Active Account Payment -
$2879.25 Here
2020-09-20 10:56| 40.92.254.76 | KR | See Payment Summ $5556.54 Get
Here
2020-09-20 17:06| 40.92.91.88 | NL | Order Amount $4983.29 Now
2020-09-20 17:06| 40.92.254.10 | KR | Claim Amount $4443.82
2020-09-21 15:01| 40.92.254.102 | KR | Foremost Payment
3147681-1HDY9QAJV
2020-09-21 21:09| 40.92.255.75 | HK | Send unique give nowadays
$6348.51 take nowadays
2020-09-21 21:10| 40.92.254.94 | KR | Send singular talent today
$7281.64 take today
2020-09-22 14:18| 40.92.255.32 | HK | You Send out requital with
the number $1328.17 horizon the transferee hither
2020-09-22 18:45| 40.92.254.39 | KR | Defrayal came to ascertain
all selective information and account symmetry $4983.34
2020-09-22 23:11| 40.92.18.97 | US | immediately
2020-09-22 23:12| 40.92.255.14 | HK | payment in the amount of $ 4217. 35
(21 rows)
This stuff is rejected here on GeoIP, DNSBL and other grounds and then
greylisted with a very long delay before ClamAV sees it, so that might
be why you're struggling with writing signatures while we aren't seeing
anything to worry about in the inboxes.
It would be interesting to know when the NSA first knew about this one.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
