Portable Executables that end in .gif/.jpg
Hi, I'm curious what people use to avoid malware executable being bypassed because their extensions are typically associated with file types that are not normally executable? https://twitter.com/jepayneMSFT/status/969742842410094593 Do you just rely on clamav? Do you do any types of checks of the actual bytes in the file to confirm they're in line with what that file type should be? How would this even present itself in an email?
Re: IADB whitelist - again
On 03/03/2018 23:45, David Jones wrote: > On 03/03/2018 05:54 AM, Noel Butler wrote: On 03/03/2018 11:40, John Hardin > wrote: > > On Sat, 3 Mar 2018, Noel Butler wrote: > > On 03/03/2018 04:40, John Hardin wrote: > > On Fri, 2 Mar 2018, Sebastian Arcus wrote: > > -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record > [199.127.240.84 listed in iadb.isipp.com] > -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record > -0.1 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in > -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID record > -0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system > -0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain Keys record > -0.1 RCVD_IN_IADB_VOUCHED RBL: ISIPP IADB lists as vouched-for sender > > I am concerned when the default settings in SA effectively facilitate > marketing companies to stuff my Inbox full of junk. > -0.6 points makes the difference? > > Perhaps the default scores need to be reviewed, but simply having the > rules isn't problematic. Have to agree with him, it can make all the difference in some cases, I'd prefer to see the rules stay, but all at score 0 If you have properly tuned SA for your mail flow and added local rules/plugins, these default IADB scores should not cause real spam to score under the default 5.0 threshold. >> -0.001 surely... 0 = disabled = breaks dependencies. > That would be acceptable :) Some us have very fine tuned SA's, and use less than 5.0 which was acceptable 10 years ago, but not in recent times, so a few .1's can mean user gets spam, V user doesnt get spam - I know what I prefer. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)
John Hardin skrev den 2018-03-03 19:28: This is why the DecodeShortURLs plugin has an explicit limit of 10 lookups (and penalizes such with a total of 8 points). I’d guess more than one redirect is highly suspicious and more than two is probably a waste of time, just score 5.0 and be done with it. +1 add blacklist internaly to DecodeShortURLs plugin, and reduce redirector list to who support abuse reports only bit.ly is safe to test
Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)
On Sat, 3 Mar 2018, @lbutlr wrote: On Feb 26, 2018, at 09:55, sha...@shanew.net wrote: This is why the DecodeShortURLs plugin has an explicit limit of 10 lookups (and penalizes such with a total of 8 points). I’d guess more than one redirect is highly suspicious and more than two is probably a waste of time, just score 5.0 and be done with it. +1 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Back in 1969 the technology to fake a Moon landing didn't exist, but the technology to actually land there did. Today, it is the opposite. -- unknown --- 10 days until Albert Einstein's 139th Birthday
Re: IADB whitelist - again
On 03/03/2018 05:54 AM, Noel Butler wrote: On 03/03/2018 11:40, John Hardin wrote: On Sat, 3 Mar 2018, Noel Butler wrote: On 03/03/2018 04:40, John Hardin wrote: On Fri, 2 Mar 2018, Sebastian Arcus wrote: -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record [199.127.240.84 listed in iadb.isipp.com] -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record -0.1 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID record -0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system -0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain Keys record -0.1 RCVD_IN_IADB_VOUCHED RBL: ISIPP IADB lists as vouched-for sender I am concerned when the default settings in SA effectively facilitate marketing companies to stuff my Inbox full of junk. -0.6 points makes the difference? Perhaps the default scores need to be reviewed, but simply having the rules isn't problematic. Have to agree with him, it can make all the difference in some cases, I'd prefer to see the rules stay, but all at score 0 If you have properly tuned SA for your mail flow and added local rules/plugins, these default IADB scores should not cause real spam to score under the default 5.0 threshold. -0.001 surely... 0 = disabled = breaks dependencies. That would be acceptable :) -- David Jones
Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)
On Feb 26, 2018, at 09:55, sha...@shanew.net wrote: > > This is why the DecodeShortURLs plugin has an explicit limit of 10 > lookups (and penalizes such with a total of 8 points). I’d guess more than one redirect is highly suspicious and more than two is probably a waste of time, just score 5.0 and be done with it. Has anyone done any analysis on multi-redirects? -- This is my signature. There are many like it, but this one is mine.
Re: IADB whitelist - again
On 03/03/2018 11:40, John Hardin wrote: > On Sat, 3 Mar 2018, Noel Butler wrote: > > On 03/03/2018 04:40, John Hardin wrote: > > On Fri, 2 Mar 2018, Sebastian Arcus wrote: > > -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record > [199.127.240.84 listed in iadb.isipp.com] > -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record > -0.1 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in > -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID record > -0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system > -0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain Keys record > -0.1 RCVD_IN_IADB_VOUCHED RBL: ISIPP IADB lists as vouched-for sender > > I am concerned when the default settings in SA effectively facilitate > marketing companies to stuff my Inbox full of junk. > -0.6 points makes the difference? > > Perhaps the default scores need to be reviewed, but simply having the > rules isn't problematic. Have to agree with him, it can make all the difference in some cases, I'd prefer to see the rules stay, but all at score 0 -0.001 surely... 0 = disabled = breaks dependencies. That would be acceptable :) (I usually disable all whitelists anyway, especially those scoring influentially) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument