Re: Whitelisting and Expedia/Orbitz

[Nick Edwards]

clueless newbie troll
microsofts own attempt at SPF did allow checking in "from"


On Sat, May 21, 2016 at 2:50 AM, Reindl Harald 
wrote:

>
>
> Am 20.05.2016 um 19:25 schrieb Vincent Fox:
>
>> SPF is only about envelopes?
>>
>
> yes
>
> Unless you are Microsoft, who check against the From in the header.
>>
>
> nonsense
>
> you likely confuse DMARC with SPF
>
>
> 
>> From: Reindl Harald 
>> Sent: Friday, May 20, 2016 10:23:45 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: Whitelisting and Expedia/Orbitz
>>
>> Am 20.05.2016 um 19:03 schrieb Alex:
>>
>>> Is it necessary to use the Envelope-From address when whitelisting
>>> with whitelist_from_spf? The docs are unclear as to whether I can just
>>> use the regular From address, which would be easier for me
>>>
>>
>> SPF is by definition only about envelopes
>> however, just use whitelist_auth -> RTFM
>>
>
>

Re: SA cannot block messages with attached zip

[Dianne Skoll]

On Fri, 20 May 2016 17:47:09 -0500 (CDT)
David B Funk  wrote:

> > We do it the hard way.  We list the contents of attached archives
> > (using "lsar") and have filename-extension rules that block .js
> > inside .zip files.  While this can lead to some FPs, which we handle
> > with selective whitelisting, it's very effective at catching the
> > latest crop of cryptolocker-style attacks.

> But isn't this exactly what the "foxhole_all.cdb"
> signatures do? (or am I missing something?).

Yes, mostly.  The advantage of lsar is that it can look inside all kinds
of weird archive formats (zip, zoo, rar, tar, tar.gz, etc.)  While most
malware uses zip, we've seen the occasional one using a different
container file format.

Regards,

Dianne.

Re: Whitelisting and Expedia/Orbitz

[Reindl Harald]

Am 20.05.2016 um 19:25 schrieb Vincent Fox:

SPF is only about envelopes?


yes


Unless you are Microsoft, who check against the From in the header.


nonsense

you likely confuse DMARC with SPF



From: Reindl Harald 
Sent: Friday, May 20, 2016 10:23:45 AM
To: users@spamassassin.apache.org
Subject: Re: Whitelisting and Expedia/Orbitz

Am 20.05.2016 um 19:03 schrieb Alex:

Is it necessary to use the Envelope-From address when whitelisting
with whitelist_from_spf? The docs are unclear as to whether I can just
use the regular From address, which would be easier for me


SPF is by definition only about envelopes
however, just use whitelist_auth -> RTFM




signature.asc
Description: OpenPGP digital signature

Re: Whitelisting and Expedia/Orbitz

[Benny Pedersen]

On 2016-05-20 19:03, Alex wrote:


Is it necessary to use the Envelope-From address when whitelisting
with whitelist_from_spf? The docs are unclear as to whether I can just
use the regular From address, which would be easier for me.


use opendkim for this test, and if you have Sender-ID on your own domain 
remove it



Apparently using the regular From address appears to not be
considered, however. Perhaps I should just use DKIM.


yes use dkim


whitelist_from_spf expe...@th.expediamail.com
vs X-Envelope-From:


postfix use Return-Path header, did you tell spamassassin that ?


<32949091100a5e25d46b116-8cc28206-26f1-487a-839f-8e47b68f9...@mg.expediamail.com>
or *@mg.expediamail.com


irelevant for dkim and spf


I've added a few rules that score bulk mail higher, but this is one
that needs to go through. My thinking is that I'll score much of the
regular junk higher, then whiltelist with SPF the ones that need to go
through (a la David B Funk approach).


this is unrelated to dkim/spf/dmarc

Re: SA cannot block messages with attached zip

[David B Funk]

On Fri, 20 May 2016, Dianne Skoll wrote:


On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless.

We do it the hard way.  We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files.  While this can lead to some FPs, which we handle
with selective whitelisting, it's very effective at catching the
latest crop of cryptolocker-style attacks.



But isn't this exactly what the "foxhole_all.cdb" 
(http://sanesecurity.com/foxhole-databases/) signatures do?

(or am I missing something?).

I see that they have a "high" risk of FPs but if you are using them as a 
scoring component within SA you should be able to "temper" those results

with other SA rules such as selective use of whitelist_auth.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Whitelisting and Expedia/Orbitz

[Benny Pedersen]

Sender-ID is not SPF


On 20. maj 2016 19.28.11 Vincent Fox  wrote:


SPF is only about envelopes?

Unless you are Microsoft, who check against the From in the header.


From: Reindl Harald 
Sent: Friday, May 20, 2016 10:23:45 AM
To: users@spamassassin.apache.org
Subject: Re: Whitelisting and Expedia/Orbitz

Am 20.05.2016 um 19:03 schrieb Alex:

Is it necessary to use the Envelope-From address when whitelisting
with whitelist_from_spf? The docs are unclear as to whether I can just
use the regular From address, which would be easier for me


SPF is by definition only about envelopes
however, just use whitelist_auth -> RTFM

Re: Whitelisting and Expedia/Orbitz

[Vincent Fox]

SPF is only about envelopes?

Unless you are Microsoft, who check against the From in the header.


From: Reindl Harald 
Sent: Friday, May 20, 2016 10:23:45 AM
To: users@spamassassin.apache.org
Subject: Re: Whitelisting and Expedia/Orbitz

Am 20.05.2016 um 19:03 schrieb Alex:
> Is it necessary to use the Envelope-From address when whitelisting
> with whitelist_from_spf? The docs are unclear as to whether I can just
> use the regular From address, which would be easier for me

SPF is by definition only about envelopes
however, just use whitelist_auth -> RTFM

Re: Whitelisting and Expedia/Orbitz

[Reindl Harald]

Am 20.05.2016 um 19:03 schrieb Alex:

Is it necessary to use the Envelope-From address when whitelisting
with whitelist_from_spf? The docs are unclear as to whether I can just
use the regular From address, which would be easier for me


SPF is by definition only about envelopes
however, just use whitelist_auth -> RTFM



signature.asc
Description: OpenPGP digital signature

Whitelisting and Expedia/Orbitz

[Alex]

Hi,

Is it necessary to use the Envelope-From address when whitelisting
with whitelist_from_spf? The docs are unclear as to whether I can just
use the regular From address, which would be easier for me.

Apparently using the regular From address appears to not be
considered, however. Perhaps I should just use DKIM.

whitelist_from_spf expe...@th.expediamail.com
vs
X-Envelope-From:

<32949091100a5e25d46b116-8cc28206-26f1-487a-839f-8e47b68f9...@mg.expediamail.com>

or *@mg.expediamail.com

I've added a few rules that score bulk mail higher, but this is one
that needs to go through. My thinking is that I'll score much of the
regular junk higher, then whiltelist with SPF the ones that need to go
through (a la David B Funk approach).

Thanks,
Alex

Re: SA cannot block messages with attached zip

[Vincent Fox]

+1

Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family.
They are #1 on our list about 50% of the time for weeks now.

I got a commendation last week for prevention work, so rare in email adminning.

Security team would be swimming in overtime if it weren't for
foxhole_js in particular.   We use all 4 of them now.

Foxhole_all hasn't been a FP problem for us either, despite
it being labelled high risk.  We had ONE professor who couldn't
email around some software, told them to use box.com instead
for sharing and problem solved.



From: Rick Macdougall 
Sent: Friday, May 20, 2016 7:50:46 AM
To: users@spamassassin.apache.org
Subject: Re: SA cannot block messages with attached zip

On 2016-05-20 10:36 AM, Paul Stead wrote:
> Second, the foxhole_js database is what you're looking for
>
> Paul
>
> On 20/05/16 13:11, Reindl Harald wrote:
>>
>>
>> Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
>>> On Fri, 20 May 2016 09:31:48 +0300
>>> Emin Akbulut  wrote:
>>>
 What do you suggest to fight these spams?
>>>
>>> ClamAV is basically useless
>>
>> no it is not, look at the sanesecurity foxhole signatures
>> http://sanesecurity.com/usage/signatures/

Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]

Top 10 Viruses in the last 24 hours

Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860
Sanesecurity.Junk.52698.UNOFFICIAL 2798
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925
Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626
Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649
Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623
Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414
winnow.spam.ts.xmailer.2.UNOFFICIAL 341
Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283
Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157

Regards,

Rick

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 17:29 schrieb Chip M.:

P.S.  As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files


/etc/clamd.d/scan.conf:
ScanOLE2 yes
OLE2BlockMacros yes





signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[Chip M.]

At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js 
>inside .zip files.

+1

We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".jse" in the wild (low volume).

*** Question:
Are there any other Windows (or Mac) scripting file extensions?


As an extra layer of defense, We also do content scanning within
all zipped files for terms including (among MANY others):
activexobject
base64_decode
createobject
eval
fromcharcode
savetofile
shell
unescape
wscript
All hits are weighted, and some can be skip-listed.
 
Plus I recently wrote some "secret sauce" Code that looks for
javascript obfuscations. :)


We've had a very low FP rate on the above, and haven't had any
noticeable user pushback.  There have been enough high profile
infections (at least two hospitals), that most endusers have
been grateful and understanding.


>Doing it properly requires a non-trivial amount of coding.

Yes, however it's VERY satisfying Coding. :)
- "Chip"

P.S.  As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files.

re: exploitable LinkedIn forwarder/whatever

[Chip M.]

Thanks Andreas! :)

Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of preventing reports).

Three hours later, I re-checked the original URL, and it no
longer was forwarding. :)

I don't know if they did anything to the actual forwarder, but
at least I know it's NOT a waste of time to send reports. :)

I will definitely submit directly, in future.


And now, the bad news:
1. The original destination was just the first hop in a
forwarding chain, with a total of six (6) hops. :(
That should have been trivially easy to detect, automatically.
The first Location feels rather brazen (i.e. an obvious redirect).
My gut feeling is that the spammer may have been testing
LinkedIn's defenses.

2. The original spam was submitted to SpamCop, which
printed (in red):
"ISP does not wish to receive reports regarding http://www.linkedin.com/slink - 
no date available"

As a precaution, I'm now outright killing "linkedin.com/slink".

I'm particularly annoyed at this forwarder, because LI has a
Shortener service.  If the spammer had been restricted to
using a Shortener, my system would have caught it easily
(technically that spam was blocked, but just barely).

*** Question:
Are there any good public lists of, um, "weakly defended"
forwarders/redirectors?

One of the reasons I posted that spample, is that it is an
excellent example of a terse spam exploiting only well known
services.  This pattern recurs regularly, though always at
low volumes.

We educate our users to be cautious with unknown URLs, but I
wouldn't blame any non-techie who succumbed to the double-whammy
of a URL with a very familiar domain sent from the cracked account
of a bona fide friend. :(
- "Chip"

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 17:11 schrieb Rick Macdougall:

On 2016-05-20 11:00 AM, Reindl Harald wrote:


Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attempts which is 10 time
higher than on normal days and nothing measurable made it to smtpd, not
talking about contentfilters at all

hence the virtual machine running the inbound MX still on 100-250 MHz



Inbound servers, 6 of them.  We are an ISP with 10s of thousands
accounts, plus content filtering for many other commercial domains


well, the domain in the last flood had 12 accounts

the point is that valid accounts, even freemail can't spread that amout 
of spam and all the bots are listed on enough blacklists to make a 
foolproof score-based reject while most of them anyways not surivive 
pregreet-tests and the rest just hangs up after 10-11 seconds and don't 
surivive "postscreen_greet_wait = ${stress?2}${stress:12}s" which means 
a client ip has to wait once a week here 12 seconds to make it to smtpd


that all plays far far away from content-scanning and between that and 
the content-scanners are conditional greylistings, honeypot-backup-mx 
always responding with 450 and helo/ptr-checks combined with a spf-policyd


the comes spamassassin rejecting the surviving piece mostly if it 
contains malware or not and at the very end of the chain comes 
clamav-milter facing mostly ham and very few real remaining junk/malware






signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[Rick Macdougall]

On 2016-05-20 11:00 AM, Reindl Harald wrote:



Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attaempts which is 10 time
higher than on normal days and nothing measurable made it to smtpd, not
talking about contentfilters at all

hence the virtual machine running the inbound MX still on 100-250 MHz



Hi,

Inbound servers, 6 of them.  We are an ISP with 10s of thousands 
accounts, plus content filtering for many other commercial domains.


Regards,

Rick

Re: SA cannot block messages with attached zip

[Dianne Skoll]

On Fri, 20 May 2016 15:00:55 +
David Jones  wrote:

> >From: Dianne Skoll 
> >ClamAV is basically useless.
> ClamAV helps a little with the unofficial sigatures.

The operative word here is "a little".

I find that the unofficial signatures that are good at actually catching
bad stuff have extremely high FP rates, while the less-aggressive unofficial
signatures don't catch that much.

> The best thing to do is block as much as you can at the MTA
> level with Postscreen and RBL weights like Reindl posted,
> greylisting,  SMTP helo checks, etc.

That's a fine solution for spam, but not for malware that can end up
costing you or your customer huge amounts of money.  You absolutely
must use a content-scanning technique to block the malware, though of
course the comparatively-cheap up-front tests can reduce the flow
substantially.

Regards,

Dianne.

Re: SA cannot block messages with attached zip

[David Jones]

>From: Dianne Skoll 
>Sent: Friday, May 20, 2016 6:07 AM
>To: users@spamassassin.apache.org
>Subject: Re: SA cannot block messages with attached zip

>On Fri, 20 May 2016 09:31:48 +0300
>Emin Akbulut  wrote:

>> What do you suggest to fight these spams?

>ClamAV is basically useless.

ClamAV helps a little with the unofficial sigatures.
http://sanesecurity.com/usage/signatures/

>We do it the hard way.  We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files.  While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
>latest crop of cryptolocker-style attacks.

>Sorry for the non-easy answer.  Doing it properly requires a non-trivial
>amount of coding.

MailScanner can do this.  https://efa-project.org/

The best thing to do is block as much as you can at the MTA
level with Postscreen and RBL weights like Reindl posted,
greylisting,  SMTP helo checks, etc.

http://multirbl.valli.org/lookup/213.252.170.66.html

The invaluement RBL subscription is not that expensive
and will pay for itself pretty quickly.  This and Spamhaus
together block a lot of bad stuff at the MTA level long
before SA has to see it and I have never had to deal
with a false positive on these in years.

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attaempts which is 10 time 
higher than on normal days and nothing measurable made it to smtpd, not 
talking about contentfilters at all


hence the virtual machine running the inbound MX still on 100-250 MHz



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[Rick Macdougall]

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]

Top 10 Viruses in the last 24 hours

Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860
Sanesecurity.Junk.52698.UNOFFICIAL 2798
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925
Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626
Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649
Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623
Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414
winnow.spam.ts.xmailer.2.UNOFFICIAL 341
Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283
Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157

Regards,

Rick

Re: SA cannot block messages with attached zip

[Paul Stead]

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 16:20 schrieb Kris Deugau:

Emin Akbulut wrote:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


I've had some luck doing that, but it takes a while


make 10 copies of such a message and change date/message-id header

in fact we have a "spamfilter-retrain /path/to/sample.eml" which creates 
5 copies per call in the corpus folder and when something i train not 
get's BAYES_99 it's called as long as it hits BAYES_99 (except rare 
caeses which you need to ignore and can't tran that way)


why should i wait until i get the same crap 10 times fro outside?



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[Kris Deugau]

Emin Akbulut wrote:
> I tried to train SA with tons of spam messages which contains zip file
> (includes .js)
> The max spam score was lesser than 5 so I did set 4 to delete messsages.
> 
> Then same kind of spam messages appear with the score of lesser than 2.
> 
> In short; training the SA seems not helpful.
> 
> What do you suggest to fight these spams?

I've had some luck doing that, but it takes a while.

I've also added some rules that should match on most of these messages:

mimeheader __ZIP_ATTACH_1   Content-Type =~
m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"}
mimeheader __ZIP_ATTACH_2   content-type =~
m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"}
metaZIP_ATTACH  __ZIP_ATTACH_1 || __ZIP_ATTACH_2
describe ZIP_ATTACH Has .zip attachment
score   ZIP_ATTACH  0.001

(Note the different case for "Content-Type";  I found both were needed.)

-kgd

Re: SA cannot block messages with attached zip

[Rejaine Monteiro]

I hitched a ride in this thread and I appreciate the tip of the foxhole 
and clamav!

I was also having problems here! solved now.

On 20-05-2016 09:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





--
Rejaine da Silveira Monteiro
Suporte-TI
Tel: (31) 2102-8854
reja...@bhz.jamef.com.br
www.jamef.com.br

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[Dianne Skoll]

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:

> What do you suggest to fight these spams?

ClamAV is basically useless.

We do it the hard way.  We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files.  While this can lead to some FPs, which we handle
with selective whitelisting, it's very effective at catching the
latest crop of cryptolocker-style attacks.

Sorry for the non-easy answer.  Doing it properly requires a non-trivial
amount of coding.

Regards,

Dianne.

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 11:40 schrieb @lbutlr:

On May 20, 2016, at 2:46 AM, Reindl Harald  wrote:

postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce


[long list]

What do you set postscreen_dnsbl_threshold to?


8



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

[@lbutlr]

On May 20, 2016, at 2:46 AM, Reindl Harald  wrote:
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce

[long list]

What do you set postscreen_dnsbl_threshold to?


-- 
"Give a man a fire and he's warm for a day, but set fire to him an he's
warm for the rest of his life."

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 10:32 schrieb Reindl Harald:

Am 20.05.2016 um 08:31 schrieb Emin Akbulut:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


just get a proper clamav setup

the real good question is why the hell that message does not get bayes
classified at all here when pipe your download through spamc/spmad while
other messages are

also a good question is why your header don't contain a single DNSBL and
if that happens all the time - without blacklists you have no good
chances for proper reject (for the trolls - YES a FULL SETUP rejects)
many junk


well, and another good question is why a mail listed on so many 
blacklists makes it to your contenfilter at all


get a proper MTA setup (containing a local dns-resolver doing recursion 
and NOT forwarding) and your inbound MX runs with zero load most of the 
time, facing a spam attack the last two days on a domain previously had 
1 valid rcpt triggering 150 rejects per minute and much more not 
pass the 12 sconds pregreet-phase, 100 Mhz loda on the VM running 
postfix/spamassassin/clamav hust because nothing of this crap makes it 
to a smtpd proess


postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*7
 dnsbl.inps.de=127.0.0.2*7
 dnsbl.sorbs.net=127.0.0.7*4
 hostkarma.junkemailfilter.com=127.0.0.2*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 ix.dnsbl.manitu.net=127.0.0.2*4
 psbl.surriel.com=127.0.0.2*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 bl.spamcannibal.org=127.0.0.2*3
 zen.spamhaus.org=127.0.0.2*3
 score.senderscore.com=127.0.4.[0..20]*3
 dnsbl.sorbs.net=127.0.0.6*3
 dnsbl.sorbs.net=127.0.0.8*2
 hostkarma.junkemailfilter.com=127.0.0.4*2
 dnsbl.sorbs.net=127.0.0.9*2
 dnsbl-1.uceprotect.net=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 bl.nszones.com=127.0.0.[2;3]*1
 dnsbl-2.uceprotect.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.4*1
 score.senderscore.com=127.0.4.[0..69]*1
 dnsbl.sorbs.net=127.0.0.3*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 dnsbl.sorbs.net=127.0.0.15*1
 ips.backscatterer.org=127.0.0.2*1
 bl.nszones.com=127.0.0.5*-1
 score.senderscore.com=127.0.4.[90..100]*-1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 ips.whitelisted.org=127.0.0.2*-2
 list.dnswl.org=127.0.[0..255].0*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5


X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE
autolearn=no autolearn_force=no version=3.4.1
_

/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND
/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.005 sec (0 m 0 s)
Content analysis details:   (37.6 points, 5.5 required)

 pts rule name  description
 --
--
 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net)
[213.252.170.66 listed in dnsbl.sorbs.net]
 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net
(virus.dnsbl.sorbs.net)
 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net)
 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net
(ips.backscatterer.org)
  [213.252.170.66 listed in
dnsbl-backscatterer.thelounge.net]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
  [213.252.170.66 listed in
hostkarma.junkemailfilter.com]
 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net
(dnsbl-1.uceprotect.net)
[213.252.170.66 listed in
dnsbl-uce.thelounge.net]
 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
[213.252.170.66 listed in
dnsbl-surriel.thelounge.net]
 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[213.252.170.66 listed in bl.spamcop.net]
 3.0 RCVD_IN_MSPIKE_L5  RBL: Very bad reputation (-5)
[213.252.170.66 listed in 

Re: SA cannot block messages with attached zip

[Reindl Harald]

Am 20.05.2016 um 08:31 schrieb Emin Akbulut:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


just get a proper clamav setup

the real good question is why the hell that message does not get bayes 
classified at all here when pipe your download through spamc/spmad while 
other messages are


also a good question is why your header don't contain a single DNSBL and 
if that happens all the time - without blacklists you have no good 
chances for proper reject (for the trolls - YES a FULL SETUP rejects) 
many junk


X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE 
autolearn=no autolearn_force=no version=3.4.1

_

/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: 
Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND
/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: 
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND


--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.005 sec (0 m 0 s)
Content analysis details:   (37.6 points, 5.5 required)

 pts rule name  description
 -- 
--

 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net)
[213.252.170.66 listed in dnsbl.sorbs.net]
 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net
(virus.dnsbl.sorbs.net)
 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net)
 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net
(ips.backscatterer.org)
  [213.252.170.66 listed in 
dnsbl-backscatterer.thelounge.net]

 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
  [213.252.170.66 listed in 
hostkarma.junkemailfilter.com]

 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net
(dnsbl-1.uceprotect.net)
[213.252.170.66 listed in 
dnsbl-uce.thelounge.net]

 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
[213.252.170.66 listed in 
dnsbl-surriel.thelounge.net]

 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[213.252.170.66 listed in bl.spamcop.net]
 3.0 RCVD_IN_MSPIKE_L5  RBL: Very bad reputation (-5)
[213.252.170.66 listed in bl.mailspike.net]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
[213.252.170.66 listed in zen.spamhaus.org]
 1.5 CUST_DNSBL_19_SENDERSC_HIGH RBL: score.senderscore.com
(senderscore.com High)
[213.252.170.66 listed in 
score.senderscore.com]

 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
(senderscore.com Medium)
 5.0 CUST_DNSBL_7_CUDA  RBL: b.barracudacentral.org
[213.252.170.66 listed in 
b.barracudacentral.org]

 2.5 CUST_DNSBL_13_SEM  RBL: bl.spameatingmonkey.net
[213.252.170.66 listed in 
bl.spameatingmonkey.net]
 2.5 RDNS_NONE  Delivered to internal network by a host 
with no rDNS

 0.0 RCVD_IN_MSPIKE_BL  Mailspike blacklisted
 0.5 HELO_MISC_IP   Looking for more Dynamic IP Relays



signature.asc
Description: OpenPGP digital signature

SA cannot block messages with attached zip

[Emin Akbulut]

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


Preview:

Hello abdurrahim.ersoz,
>
>
>
>
>
> Please find enclosed invoice no. 316855
>
>
>
> Thank you for your order.
>
> We look forward to doing business with you again.
>
>
>
>
>
> Regards,
>
> Marcus Love
>
> StarTek, Inc.
>