Re: new emotet campain

2019-09-17 Thread Amir Caspi 
On Sep 17, 2019, at 12:15 PM, John Hardin  wrote:
> 
> On Tue, 17 Sep 2019, hg user wrote:
> 
>> It is a "dumb" rule but the quicker I could create.
>> 
>> https://pastebin.com/bxRSds7a
> 
> Suggestions:
> 
> (1) use a URI rule rather than a BODY rule
> 
> (2) escape the periods; you want to match a period, not any-character.

Based on https://feodotracker.abuse.ch/mitigate/ 
, it looks like both Spamhaus DBL and 
SURBL are fed by URLhaus.  Spamhaus returns 127.0.1.105 for URLs fed from 
URLhaus.  Doesn't SA already handle this, then, for URLs it processes, since it 
uses the DBL?

I know Riccardo sent an email about a new plugin for SA, but I don't know if 
it's yet implemented in release... but maybe that's not required since the DBL 
doesn't require DQS.

--- Amir

Re: new emotet campain

2019-09-17 Thread John Hardin 

On Tue, 17 Sep 2019, hg user wrote:


It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a


Suggestions:

(1) use a URI rule rather than a BODY rule

(2) escape the periods; you want to match a period, not any-character.



On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:


A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
and I created a rule... I don't know if is it possible to share (via
pastebin) the rule I created to have feedback from the experts...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Today: the 232nd anniversary of the signing of the U.S. Constitution

Re: new emotet campain

2019-09-17 Thread hg user 
these rules are from "epoch 2" campain and according to the docs are
included in the email...
as far as i understand

i don't have clamav active in this moment

On Tuesday, September 17, 2019, Axb  wrote:

> I doubt you'll see many hits on that rule as I'd expect most URIS being
> included in the infected attachments.
> Imo, the ClamAV sigs make more sense.
>
> On 9/17/19 12:36 PM, hg user wrote:
>
>> It is a "dumb" rule but the quicker I could create.
>>
>> https://pastebin.com/bxRSds7a
>>
>> On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:
>>
>> If possible please share it here?
>>>
>>> On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:
>>>
>>> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
 and I created a rule... I don't know if is it possible to share (via
 pastebin) the rule I created to have feedback from the experts...


>>>
>>
>

Re: new emotet campain

2019-09-17 Thread Axb 
I doubt you'll see many hits on that rule as I'd expect most URIS being 
included in the infected attachments.

Imo, the ClamAV sigs make more sense.

On 9/17/19 12:36 PM, hg user wrote:

It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a

On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:


A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
and I created a rule... I don't know if is it possible to share (via
pastebin) the rule I created to have feedback from the experts...

Re: new emotet campain

2019-09-17 Thread hg user 
It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a

On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:

> If possible please share it here?
>
> On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:
>
>> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
>> and I created a rule... I don't know if is it possible to share (via
>> pastebin) the rule I created to have feedback from the experts...
>>
>

Re: new emotet campain

2019-09-17 Thread Riccardo Alfieri 

On 17/09/19 11:59, Blason R wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user > wrote:


A new emotet campain is in progress
(https://twitter.com/Cryptolaemus1) and I created a rule... I
don't know if is it possible to share (via pastebin) the rule I
created to have feedback from the experts...


Hi,

not really SpamAssassin related, but for anyone concerned about Emotet, 
I suggest using URLhaus Clamav signatures: 
https://urlhaus.abuse.ch/api/#clamav


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: new emotet campain

2019-09-17 Thread Blason R 
If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:

> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
> and I created a rule... I don't know if is it possible to share (via
> pastebin) the rule I created to have feedback from the experts...
>

new emotet campain

2019-09-17 Thread hg user 
A new emotet campain is in progress (https://twitter.com/Cryptolaemus1) and
I created a rule... I don't know if is it possible to share (via pastebin)
the rule I created to have feedback from the experts...