Re: Training new spamass-milter setup
Am 18.02.2015 um 05:50 schrieb @lbutlr: On 17 Feb 2015, at 15:46 , Reindl Harald h.rei...@thelounge.net wrote: because in a default milter-setup the one and only user is the user which SA and the miler service are running as, hence my script which needs maybe small adjustments for your environment (--no-sync and so on depend on the config, directories needs to exist and permissions for samples needs to be correct) Right. I’m going through your scripts now. They look interesting and with only a few weeks should drop in perfectly. no mysql and what not, just a default bayes-db, two traing-folders for ham and spam and the script for feed new eml-samples as well as the option for ac omplete rebuild based on the current samples, the corpus will stay forever on that machines and samples are named -mm-dd-number.eml Setting up the spam and ham corpus separately is on thing holding me up right now how else will you train?? the key part is tell the bayes this is spam and this is ham and I’d honestly rather run with a mysql database should also not be a problem but the clear and rebuild could be an issue because in that timeframe the bayes can't be used - the first version did this withou the temp folder ending in warnings and rely on the other SA rules in the meantime at the begin that was not much a problem with now around 21000 samples this would take 10-15 minutes well, you don't rebuild regulary but i personally find it an easier way than forget to get rid of wrong classified samples or in some cases better not classify some for whatever reason signature.asc Description: OpenPGP digital signature
Re: Training new spamass-milter setup
On 18 Feb 2015, at 02:06 , Reindl Harald h.rei...@thelounge.net wrote: Am 18.02.2015 um 05:50 schrieb @lbutlr: On 17 Feb 2015, at 15:46 , Reindl Harald h.rei...@thelounge.net wrote: because in a default milter-setup the one and only user is the user which SA and the miler service are running as, hence my script which needs maybe small adjustments for your environment (--no-sync and so on depend on the config, directories needs to exist and permissions for samples needs to be correct) Right. I’m going through your scripts now. They look interesting and with only a few weeks should drop in perfectly. no mysql and what not, just a default bayes-db, two traing-folders for ham and spam and the script for feed new eml-samples as well as the option for ac omplete rebuild based on the current samples, the corpus will stay forever on that machines and samples are named -mm-dd-number.eml Setting up the spam and ham corpus separately is on thing holding me up right now how else will you train?? From existing mail in select users (who are known to mark their mail). the key part is tell the bayes this is spam and this is ham” Yep. So far, attempts to train the spam from spamassmilter do not seem to be resulting in the DB files I’d expect to find in /var/spool/spamd which is the $HOME for the spamd user. --
Re: Training new spamass-milter setup
On 18 Feb 2015, at 03:50 , Reindl Harald h.rei...@thelounge.net wrote: i would find it pervert using /var/spool for the userhome and bayes-database I did not set the home for the spamd user, it was done in the install process. And yes, I found the user or /var/spool/spamd odd as well. --
Re: Training new spamass-milter setup
Am 18.02.2015 um 11:41 schrieb @lbutlr: On 18 Feb 2015, at 02:06 , Reindl Harald h.rei...@thelounge.net wrote: Am 18.02.2015 um 05:50 schrieb @lbutlr: On 17 Feb 2015, at 15:46 , Reindl Harald h.rei...@thelounge.net wrote: because in a default milter-setup the one and only user is the user which SA and the miler service are running as, hence my script which needs maybe small adjustments for your environment (--no-sync and so on depend on the config, directories needs to exist and permissions for samples needs to be correct) Right. I’m going through your scripts now. They look interesting and with only a few weeks should drop in perfectly. no mysql and what not, just a default bayes-db, two traing-folders for ham and spam and the script for feed new eml-samples as well as the option for ac omplete rebuild based on the current samples, the corpus will stay forever on that machines and samples are named -mm-dd-number.eml Setting up the spam and ham corpus separately is on thing holding me up right now how else will you train?? From existing mail in select users (who are known to mark their mail). train a global bayes by user decisions? forget it without a review not only once, the last time yesterday i called a user by phone and asked seriously? you want to train the message you moved in my IMAP folder as spam just because someone wrote to your office address, searched who are the two persons by name and would like work togehter with you? the key part is tell the bayes this is spam and this is ham” Yep. So far, attempts to train the spam from spamassmilter do not seem to be resulting in the DB files I’d expect to find in /var/spool/spamd which is the $HOME for the spamd user. man you need to provide some informations you need to call sa-learn exactly as the user running spamd / milter with that home-directory and to be honest i would find it pervert using /var/spool for the userhome and bayes-database sa-milt:x:189:188:SpamAssassin Milter:/var/lib/spamass-milter:/usr/bin/dash ls /var/lib/spamass-milter/.spamassassin/ insgesamt 35M -rw--- 1 sa-milt sa-milt 2,6M 2015-02-18 11:44 bayes_seen -rw--- 1 sa-milt sa-milt 40M 2015-02-18 11:44 bayes_toks -rw--- 1 sa-milt sa-milt 98 2015-02-17 11:37 user_prefs sa-milt477 0.0 2.5 289776 77440 ?SNs 04:16 0:21 /usr/bin/perl -T -w /usr/bin/spamd -c -H --max-children=25 --min-children=10 --min-spare=5 --max-spare=15 --port=10028 sa-milt 4945 0.0 0.1 584328 4080 ?SNsl Feb17 0:19 /usr/sbin/spamass-milter -p /run/spamass-milter/spamass-milter.sock -g sa-milt -r 8.0 -- -s 5242880 --port=10028 sa-milt 30625 1.6 3.7 332124 116528 ? SN 11:44 0:04 spamd child sa-milt 30626 0.4 2.5 293884 79328 ?SN 11:44 0:01 spamd child sa-milt 30627 0.0 2.3 289776 71036 ?SN 11:44 0:00 spamd child sa-milt 30628 0.0 2.3 289776 71108 ?SN 11:44 0:00 spamd child sa-milt 30629 0.0 2.3 289776 71036 ?SN 11:44 0:00 spamd child sa-milt 30630 0.0 2.3 289776 70972 ?SN 11:44 0:00 spamd child sa-milt 30631 0.0 2.3 289776 70972 ?SN 11:44 0:00 spamd child sa-milt 30632 0.0 2.3 289776 70972 ?SN 11:44 0:00 spamd child sa-milt 30633 0.0 2.3 289776 70976 ?SN 11:44 0:00 spamd child sa-milt 30634 0.0 2.3 289776 70976 ?SN 11:44 0:00 spamd child sa-milt 30635 0.0 2.3 289776 70976 ?SN 11:44 0:00 spamd child sa-milt 30636 0.0 2.3 289776 70976 ?SN 11:44 0:00 spamd child sa-milt 30637 0.0 2.3 289776 70976 ?SN 11:44 0:00 spamd child sa-milt 30638 0.0 2.3 289776 70980 ?SN 11:44 0:00 spamd child sa-milt 30639 0.0 2.3 289776 70980 ?SN 11:44 0:00 spamd child signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On Wed, 2015-02-18 at 06:18 -0700, Tonyata wrote: Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. There are some solutions for re-scanning email which has been delivered (via imap, and possibly direct maildir access) so spam that's not initially in razor/pyzor type services gets caught. You could probably adapt one of those to also run a virus scanner at a later time with updated signatures to catch those, or even put together a quick shellscript to loop through your maildirs with a cli virus scanner (if you use maildir). Of course it won't address users that have read their email already, but certainly would help overall. Another option might be to add a virus scanner to your pop/imap server, so mail is re-scanned before being sent to the client? Jesse Cheers Tony __ Date: Wed, 18 Feb 2015 06:08:30 -0700 From: [hidden email] To: [hidden email] Subject: Re: Recent spate of Malicious VB attachments II On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others. -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500 Joe Quinn jqu...@pccc.com wrote: On 2/18/2015 2:10 PM, Reindl Harald wrote: the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger. A lot of the samples we see heavily obfuscate the VB code. Example: Sub h() ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5) USER = Module1.Travel(username) jks = ds PST2 = + a + do be ac d-u pd a te VBT2 = a + Chr(100) + o b ea cd-up da te VBTXP2 = a Chr(100) o be + ac d-u + pd + atex + p BART2 = a + Chr(100) o b e + ac d-up + date PST1 = PST2 + . + Chr(Asc(p)) + Chr(ds + 15) + 1 + VBT1 = VBT2 + . + Chr(118) + b + Chr(Asc(s)) + VBTXP = VBTXP2 + . + Chr(Asc(v)) + Chr(Asc(b)) + s + ... more of the same This makes a simple-minded strings inadequate. :( I've also seen highly-obfuscated Javascript code that builds up strings and then evaluates them as Javascript. Regards, David.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015, David F. Skoll wrote: On Wed, 18 Feb 2015 09:56:56 -0700 Jesse Norell je...@kci.net wrote: Another option might be to add a virus scanner to your pop/imap server, so mail is re-scanned before being sent to the client? I wrote some Perl to try to detect MS Office documents with macros in them. I'm not sure it's 100% successful, but it does seem to detect a large percentage of them. Unfortunately, I found out to my dismay that quite a few legitimate MS Office documents have macros, so you can only use this to add points, not to reject. Macros are not inherently evil. Macros that dig around in the registry or try to retrieve stuff over the network are evil. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Insofar as the police deter by their presence, they are very, very good. Criminals take great pains not to commit a crime in front of them. -- Jeffrey Snyder --- 4 days until George Washington's 283rd Birthday
Re: Recent spate of Malicious VB attachments II
On 2/18/2015 2:10 PM, Reindl Harald wrote: Am 18.02.2015 um 20:00 schrieb David F. Skoll: On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not ___ well, and as a sidenote: i had today a jar-malware (java) in a mail and instead to unpack it for inspection because the same icon as archives i managed to run that damned thing - luckily realized that 30 seconds later, pulled the network cables and restored the complete machine from a nightly backup the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 20:10:46 +0100 Reindl Harald h.rei...@thelounge.net wrote: it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not Yeah, that's what we do. We add 3.7 points for files containing macros. Regards, David.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell je...@kci.net wrote:
Another option might be to add a virus scanner to your pop/imap
server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's 100% successful, but it does seem to detect
a large percentage of them. Unfortunately, I found out to my dismay
that quite a few legitimate MS Office documents have macros, so you can
only use this to add points, not to reject.
The code fragment is below (it's not a complete solution, but it gives
you the gist). It's not a SpamAssassin plugin (because it's part
of our MIMEDefang framework) but it shouldn't be too hard to adapt.
The essential part is to look for the two strings $marker1 and $marker2
in the document.
Regards,
David.
==
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = \xd0\xcf\x11\xe0;
my $marker2 = \x00\x41\x74\x74\x72\x69\x62\x75\x74\x00;
sub contains_office_macros
{
my ($self, $entity) = @_;
my @parts = $entity-parts();
if (scalar(@parts) 0) {
foreach my $part (@parts) {
if ($self-contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity-head-mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity-bodyhandle)
defined($entity-bodyhandle-path);
my $fp;
if (!open($fp, ':raw', $entity-bodyhandle-path)) {
return 0;
}
my $contents;
{
local $/;
$contents = $fp;
close($fp);
}
if (index($contents, $marker1) -1
index($contents, $marker2) -1) {
return 1;
}
return 0;
}
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) Regards, David.
Re: Recent spate of Malicious VB attachments II
Am 18.02.2015 um 20:00 schrieb David F. Skoll: On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not ___ well, and as a sidenote: i had today a jar-malware (java) in a mail and instead to unpack it for inspection because the same icon as archives i managed to run that damned thing - luckily realized that 30 seconds later, pulled the network cables and restored the complete machine from a nightly backup the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time signature.asc Description: OpenPGP digital signature
duplicate rules? (AXB_HELO_HOME_UN,HELO_LH_HOME)
is it expected that both fire? i don't know the message but noticed it in the logs AXB_HELO_HOME_UN,HELO_LH_HOME signature.asc Description: OpenPGP digital signature
RE: Recent spate of Malicious VB attachments II
Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. Cheers Tony Date: Wed, 18 Feb 2015 06:08:30 -0700 From: ml-node+s1065346n114622...@n5.nabble.com To: tiar...@hotmail.com Subject: Re: Recent spate of Malicious VB attachments II On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others. If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114622.html To unsubscribe from Recent spate of Malicious VB attachments II, click here. NAML -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114623.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Uptick in spam (bayes stats script)
Am 17.02.2015 um 15:23 schrieb Reindl Harald: Am 17.02.2015 um 15:19 schrieb LuKreme: On 16 Feb 2015, at 12:01 , Reindl Harald h.rei...@thelounge.net wrote: given that 24266 messages had BAYES_00 with a total number of 30401 delivered mails in the current month that training strategy seems to work well [root@mail-gw:~]$ bayes-stats.sh What is bayes-stats.sh? as simple shell script nicer version attached as plain-text file using now bash + bc + printf for % and formatting removed the su-calls by place it in a worker-dir and call that with su from a script in PATH, well output looks now like below bayes-stats.sh 0.000 0 3 0 non-token data: bayes db version 0.000 0 10606 0 non-token data: nspam 0.000 0 10688 0 non-token data: nham 0.000 01387376 0 non-token data: ntokens 0.000 0 993467899 0 non-token data: oldest atime 0.000 0 1424264407 0 non-token data: newest atime 0.000 0 1424264867 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count insgesamt 35M -rw--- 1 sa-milt sa-milt 2,6M 2015-02-18 14:07 bayes_seen -rw--- 1 sa-milt sa-milt 40M 2015-02-18 14:07 bayes_toks -rw--- 1 sa-milt sa-milt 98 2015-02-17 11:37 user_prefs BAYES_00 28000 75.84 % BAYES_05 4371.18 % BAYES_20 5461.47 % BAYES_40 5971.61 % BAYES_50 4503 12.19 % BAYES_60 4371.18 % BAYES_80 3220.87 % BAYES_95 2240.60 % BAYES_99 18505.01 % BAYES_999 16474.46 % Delivered:34896 SpamAssassin: 3071 #!/usr/bin/bash MAILLOG=/var/log/maillog /usr/bin/sa-learn --dump magic echo /usr/bin/ls -l -h --color=tty -X --group-directories-first --time-style=long-iso /var/lib/spamass-milter/.spamassassin/ echo BAYES_00=`grep -c 'spamd: result:.*BAYES_00,' $MAILLOG` BAYES_05=`grep -c 'spamd: result:.*BAYES_05,' $MAILLOG` BAYES_20=`grep -c 'spamd: result:.*BAYES_20,' $MAILLOG` BAYES_40=`grep -c 'spamd: result:.*BAYES_40,' $MAILLOG` BAYES_50=`grep -c 'spamd: result:.*BAYES_50,' $MAILLOG` BAYES_60=`grep -c 'spamd: result:.*BAYES_60,' $MAILLOG` BAYES_80=`grep -c 'spamd: result:.*BAYES_80,' $MAILLOG` BAYES_95=`grep -c 'spamd: result:.*BAYES_95,' $MAILLOG` BAYES_99=`grep -c 'spamd: result:.*BAYES_99,' $MAILLOG` BAYES_999=`grep -c 'spamd: result:.*BAYES_999,' $MAILLOG` BAYES_TOTAL=`echo $BAYES_00+$BAYES_05+$BAYES_20+$BAYES_40+$BAYES_50+$BAYES_60+$BAYES_80+$BAYES_95+$BAYES_99 | bc` BAYES_00_PCT=`echo scale=2; ($BAYES_00*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_05_PCT=`echo scale=2; ($BAYES_05*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_20_PCT=`echo scale=2; ($BAYES_20*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_40_PCT=`echo scale=2; ($BAYES_40*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_50_PCT=`echo scale=2; ($BAYES_50*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_60_PCT=`echo scale=2; ($BAYES_60*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_80_PCT=`echo scale=2; ($BAYES_80*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_95_PCT=`echo scale=2; ($BAYES_95*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_99_PCT=`echo scale=2; ($BAYES_99*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` BAYES_999_PCT=`echo scale=2; ($BAYES_999*100)/$BAYES_TOTAL | bc | sed 's/^\./0./'` echo -e BAYES_00 `printf \%*s\ 8 $BAYES_00` `printf \%*s\ 7 $BAYES_00_PCT` % echo -e BAYES_05 `printf \%*s\ 8 $BAYES_05` `printf \%*s\ 7 $BAYES_05_PCT` % echo -e BAYES_20 `printf \%*s\ 8 $BAYES_20` `printf \%*s\ 7 $BAYES_20_PCT` % echo -e BAYES_40 `printf \%*s\ 8 $BAYES_40` `printf \%*s\ 7 $BAYES_40_PCT` % echo -e BAYES_50 `printf \%*s\ 8 $BAYES_50` `printf \%*s\ 7 $BAYES_50_PCT` % echo -e BAYES_60 `printf \%*s\ 8 $BAYES_60` `printf \%*s\ 7 $BAYES_60_PCT` % echo -e BAYES_80 `printf \%*s\ 8 $BAYES_80` `printf \%*s\ 7 $BAYES_80_PCT` % echo -e BAYES_95 `printf \%*s\ 8 $BAYES_95` `printf \%*s\ 7 $BAYES_95_PCT` % echo -e BAYES_99 `printf \%*s\ 8 $BAYES_99` `printf \%*s\ 7 $BAYES_99_PCT` % echo -e BAYES_999 `printf \%*s\ 8 $BAYES_999` `printf \%*s\ 7 $BAYES_999_PCT` % echo echo Delivered:`grep -c 'relay=.*status=sent' $MAILLOG` echo SpamAssassin: `grep -c 'Blocked by SpamAssassin' $MAILLOG` signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others.
RE: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015, Tonyata wrote: Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. plug type=shamelesshttp://impsec.org/email-tools/procmail-security.html/plug Not signature-based. I believe the current dev version (1.152pre8) catches the current VB download scripting. Feel free to forward me some samples if you like. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The most glaring example of the cognitive dissonance on the left is the concept that human beings are inherently good, yet at the same time cannot be trusted with any kind of weapon, unless the magic fairy dust of government authority gets sprinkled upon them. -- Moshe Ben-David --- 4 days until George Washington's 283rd Birthday
Recent spate of Malicious VB attachments II
Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Thanks in advance ata -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: duplicate rules? (AXB_HELO_HOME_UN,HELO_LH_HOME)
On Wed, 18 Feb 2015 22:27:56 +0100 Reindl Harald wrote: is it expected that both fire? i don't know the message but noticed it in the logs AXB_HELO_HOME_UN,HELO_LH_HOME They'd be nearly identical if they both ran on X-Spam-Relays-External. The use of X-Spam-Relays-Untrusted seems to be a mistake. header AXB_HELO_HOME_UN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\w+\.(lan|home) /i header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
