Re: New rule wanted
Loren Wilton skrev den 2023-02-07 11:43: I believe 3MB is above the default scan size for SA, so likely it won't even look at the file. lets say sender did not know this ? if it was linux elf i would compiled itself with gcc :) dont accept precompiled files in email ever
Re: New rule wanted
Rupert Gallagher skrev den 2023-02-07 11:15: https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b Both SA and ClamAV passed it as legit. We should have a SA rule that says: "attached file with unknown data type". or https://sanesecurity.com/foxhole-databases/
Re: New rule wanted
I believe 3MB is above the default scan size for SA, so likely it won't even look at the file. Loren - Original Message - From: Rupert Gallagher To: users@spamassassin.apache.org Sent: Tuesday, February 07, 2023 2:26 AM Subject: Re: New rule wanted Note: Both client and server are not Windows. The attached file type is a generic "data" on unix. On a Windows client the file runs as executable. A SA rule should merely detect that the file type is a generic "data" file. Original Message On Feb 7, 2023, 11:15, Rupert Gallagher < r...@protonmail.com> wrote: I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one". The file turns out to be a Windows Trojan: https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b Both SA and ClamAV passed it as legit. We should have a SA rule that says: "attached file with unknown data type".
Re: New rule wanted
I've seen this wave too. You could use such a rule: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader ONENOTE_ATTACHED Content-Type =~ /\.one[";$]/i describe ONENOTE_ATTACHED Attached OneNote score ONENOTE_ATTACHED 5.0 end if Make sure MIMEHeader is loaded. I haven't used that rule in prod so I don't guarantee it will perfectly work. We use fuglu to put mails in quarantine based on file attachment. ClamAV does not recognize attachments inside OneNote files, so most signatures don't hit as one would expect. But looking for .hta inside those OneNote helped me block more or less all those mails (that were not blocked earlier by RBLs). Good luck, Laurent S.
Re: New rule wanted
Note: Both client and server are not Windows. The attached file type is a generic "data" on unix. On a Windows client the file runs as executable. A SA rule should merely detect that the file type is a generic "data" file. Original Message On Feb 7, 2023, 11:15, Rupert Gallagher wrote: > I received a spam with score -1. Well written, looks legit commercial, asking > for a quotation, with details in the attachment, a 3MB file with unknown > extension ".one". > > The file turns out to be a Windows Trojan: > > https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b > > Both SA and ClamAV passed it as legit. > > We should have a SA rule that says: "attached file with unknown data type".
New rule wanted
I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one". The file turns out to be a Windows Trojan: https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b Both SA and ClamAV passed it as legit. We should have a SA rule that says: "attached file with unknown data type".