Macro virus fun

2016-04-05 Thread Alex 
Hi all,

These targeted macro viruses are killing us. I hoped someone would
like to take a shot at suggestions on how to stop these.

http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate
once it's been added. In other words, it can't be used in a meta or to
make spam/ham decisions, only add to the existing score.

Is there a spamassassin rule that identifies attachments with macros in them?

What strategy are other people using to block zero-day macro viruses?

You'll notice the attachment still isn't being detected by clamav
proper (no surprise, really), and was only just now submitted to Steve
at sanesecurity.

It appears some companies are quarantining any files with macros in
them for some period of time until they can be deconstructed and
analyzed (sandbox, etc). Are any SA users doing that?

I'm sure I could build a body rule, but that's kind of playing
whack-a-mole. I wondered what more general solutions people had that
might detect/block these. Body rules are also welcomed, of course.

Thanks,
Alex

Re: PDF spam

2016-04-05 Thread Olivier Nicole 
Alex,

>> What is the name of the plugin you're referring to? It's not PDFInfo, 
>> correct?

It's called Pdf.pm (note the  unusual capitalization) or PDFassassin and
starts with something saying:

# PDF scan, inspired by Ocr.pm 
# For more details see
# http://blog.atmail.com/?p=61

I cannot remember if I modified it at all. It uses xpdf to extract the
text from a PDF (or the sude tool called pdftotext, nice thing with xpdf
is that you can modify it to ignore the do not print flag).

On the very example, the text that would be injected to SA for further
analyze is:

This document Is password Protected
Click HERE to unlock and access file

best regards,

Olivier
--

Re: DMARC auto-away rejects

2016-04-05 Thread A. Schulze 


Alan Hodgson:

I really believe that's incorrect. Relaxed alignment specifically  
means you can

sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.


Hm. https://tools.ietf.org/html/rfc7489#section-10.4 reads like you're  
not wrong.

I'll ask some dmarc professionals for clarification ...

Andreas