Re: Direct download link detection - new variant
Am 2017-07-26 17:22, schrieb Dianne Skoll:
On Wed, 26 Jul 2017 17:15:43 +0200
Michael Storz wrote:
[...]
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
You may get FPs. See for example
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105578
I am guessing that boundary is generated by a library that's also used
for legitimate purposes.
The boundary is a standard Microsoft Outlook boundary. You can't score
on the boundary alone. But if you score on the meta rule a FP is
unlikely. Just try it.
Regards,
Michael
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017 08:28:52 -0700 (PDT) John Hardin wrote: > ...all of which is, sadly, whack-a-mole. However, there are few to no alternatives to whack-a-mole for this spam run. The messages are pretty bland. We've been diligently adding the URLs to our phishing list and we seem to have caught most of them; there are only a couple of hundred or so URLs. Regards, Dianne.
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017, Michael Storz wrote:
Am 2017-07-26 15:08, schrieb Dianne Skoll:
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
> All of the URLs match this pattern:
> /\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is
ready" and URLs that match:
uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/
Nearly all of these spammails can be blocked with
header __LRZ_BND_MSContent-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~
/<\d{8,13}\.2017\d{6,11}\@/
metaLRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)
The version before had a different boundary
header__LRZ_BND_HU32 Content-Type =~ /boundary="[0-9A-F]{32}"/
...all of which is, sadly, whack-a-mole.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
...much of our country's counterterrorism security spending is not
designed to protect us from the terrorists, but instead to protect
our public officials from criticism when another attack occurs.
-- Bruce Schneier
---
9 days until the 282nd anniversary of John Peter Zenger's acquittal
Re: Direct download link detection - new variant
On Wed, 26 Jul 2017 17:15:43 +0200
Michael Storz wrote:
[...]
> /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
You may get FPs. See for example
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105578
I am guessing that boundary is generated by a library that's also used
for legitimate purposes.
Regards,
Dianne.
Re: Direct download link detection - new variant
Am 2017-07-26 15:08, schrieb Dianne Skoll:
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
All of the URLs match this pattern:
/\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is ready"
and
URLs that match:
uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/
Regards,
Dianne.
Nearly all of these spammails can be blocked with
header __LRZ_BND_MSContent-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~
/<\d{8,13}\.2017\d{6,11}\@/
metaLRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 &&
__LRZ_BND_MS)
The version before had a different boundary
header __LRZ_BND_HU32 Content-Type =~
/boundary="[0-9A-F]{32}"/
Regards,
Michael
Re: Direct download link detection - new variant
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll wrote:
> All of the URLs match this pattern:
> /\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is ready" and
URLs that match:
uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/
Regards,
Dianne.
