Re: Direct download link detection - new variant
Am 2017-07-26 17:22, schrieb Dianne Skoll: On Wed, 26 Jul 2017 17:15:43 +0200 Michael Storz wrote: [...] /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ You may get FPs. See for example https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105578 I am guessing that boundary is generated by a library that's also used for legitimate purposes. The boundary is a standard Microsoft Outlook boundary. You can't score on the boundary alone. But if you score on the meta rule a FP is unlikely. Just try it. Regards, Michael
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017 08:28:52 -0700 (PDT) John Hardin wrote: > ...all of which is, sadly, whack-a-mole. However, there are few to no alternatives to whack-a-mole for this spam run. The messages are pretty bland. We've been diligently adding the URLs to our phishing list and we seem to have caught most of them; there are only a couple of hundred or so URLs. Regards, Dianne.
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017, Michael Storz wrote: Am 2017-07-26 15:08, schrieb Dianne Skoll: On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: > All of the URLs match this pattern: > /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/ Nearly all of these spammails can be blocked with header __LRZ_BND_MSContent-Type =~ /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/ metaLRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS) The version before had a different boundary header__LRZ_BND_HU32 Content-Type =~ /boundary="[0-9A-F]{32}"/ ...all of which is, sadly, whack-a-mole. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 9 days until the 282nd anniversary of John Peter Zenger's acquittal
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017 17:15:43 +0200 Michael Storz wrote: [...] > /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ You may get FPs. See for example https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105578 I am guessing that boundary is generated by a library that's also used for legitimate purposes. Regards, Dianne.
Re: Direct download link detection - new variant
Am 2017-07-26 15:08, schrieb Dianne Skoll: On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: All of the URLs match this pattern: /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/ Regards, Dianne. Nearly all of these spammails can be blocked with header __LRZ_BND_MSContent-Type =~ /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/ metaLRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS) The version before had a different boundary header __LRZ_BND_HU32 Content-Type =~ /boundary="[0-9A-F]{32}"/ Regards, Michael
Re: Direct download link detection - new variant
On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: > All of the URLs match this pattern: > /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/ Regards, Dianne.