sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Today, MUCH sneaky spams are being sent with an attached zipped malicious URL/shortcut file. Most or all of these are easily caught by Thread-Index, as follows: Thread-Index: AdBx5/5UsdSTxflQTPi+FyODmVaqhA== Perhaps someone can make a rule for this and post it here? I already set this in another non-SA part of my anti-spam system, but the rule might help others here. There are also other attributes that could become an SA rule that would cause a hit even if the Thread-Index changed, but that will require a little bit more effort. -- Rob McEwen https://www.invaluement.com
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Thanks Rob, can you pastebin a sample?? PedroD
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 03/27/2018 08:24 AM, Pedro David Marco wrote: Thanks Rob, can you pastebin a sample?? PedroD Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL Clamd: Purchase Order_4014053_27032018.zip was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL https://pastebin.com/WwUbWCQY -- David Jones
Lots of money, score of 0??
Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? -- Rob McEwen https://www.invaluement.com
Re: Lots of money, score of 0??
On 03/27/2018 09:24 AM, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob I score it about 2 points in my MailScanner instances with a block threshold of 6.0. My local rules have a huge list of whitelist_auth entries to cover the trustworthy senders that might hit this and other "spammy" rules that aren't definite spam/poison pills. -- David Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 03/27/2018 09:37 AM, Rob McEwen wrote: On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? That's interesting because I probably wouldn't have started using foxhole_all.cdb if it had been classified like that then. I am not getting any reports or finding any problems with FPs. 3,110,729 total messages* since March 15th 112,477 spam blocked 2,071 total viruses found 8 Foxhole viruses found *After MTA rejects based on RBLs and other DNS checks -- Dave Jones -- David Jones
Re: Lots of money, score of 0??
On Tue, 27 Mar 2018, Robert Boyl wrote: Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 It's not *intended* to score by itself, it's intended to be used in metas with other suspicious indicators. It's scored informative by itself just to give an indicator in the rule hits list that a mention of large sums of mney was present. You are welcome to assign a score locally if you feel that way. I don't think it's justified in the default rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- 5 days until April Fools' day
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Hi, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? That's interesting because I probably wouldn't have started using foxhole_all.cdb if it had been classified like that then. I am not getting any reports or finding any problems with FPs. foxhole_all is just a few dozen(?) lines of rules to tag file types within zip/rar/7z/arj/exe files. Perhaps because you're outright rejecting many of these file types already? Regards, Dave 3,110,729 total messages* since March 15th 112,477 spam blocked 2,071 total viruses found 8 Foxhole viruses found *After MTA rejects based on RBLs and other DNS checks -- Dave Jones
Re: Lots of money, score of 0??
On 27 Mar 2018, at 10:24, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL I see a very large number of legitimate and definitely wanted messages hitting the LOTS_OF_MONEY rule. 849 in my own mail in the past year, excluding mail with quoted spam. This includes YOUR message asking about it.
