Re: Now its zip attachments ^^
On 24.07.07 08:57, Kelson wrote: > Over here we use MIMEDefang as the glue to tie SpamAssassin, Clamd, etc. > together. MD filters are very customizable (if you can write it in > Perl, you can put it in a MD filter). After our filter calls clamd, we > check the name of the matching signature against a regexp. We only > actually drop messages that trip on known mass-mailer signatures (most > of them have "worm" or "@mm" in the name, depending on who first named > it), and the rest are rejected. This it sick. Why not reject all viruses, independently on whtat they do? Why not let the sender deal with the rejection? Either the sending server will generate bounces (and the admin learns to install antivirus) or the sending bot will not have its mail accepted. I know that there were recommendations in the past "not to send notification to the sender, when the virus name contained '@mm'" but they were invalid because of more reasons. And they were about _notifications_ to "senders". Do never notify sender or receiver about the virus. Senders are in most cases fake and the receivers do not want to know that whole spambot army started sending them viruses. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: Now its zip attachments ^^
John Rudd wrote: Chr. v. Stuckrad wrote: I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) You could even do it as 5 different instances (1 for base clamav sigs, 1 for each of the signature files from sanesecurity, 1 for each of the signature files from msrbl), and mark them accordingly. Over here we use MIMEDefang as the glue to tie SpamAssassin, Clamd, etc. together. MD filters are very customizable (if you can write it in Perl, you can put it in a MD filter). After our filter calls clamd, we check the name of the matching signature against a regexp. We only actually drop messages that trip on known mass-mailer signatures (most of them have "worm" or "@mm" in the name, depending on who first named it), and the rest are rejected. For those who only want to run one instance of clamd, it's easy enough to do the same thing to separate "real" viruses from spam signatures by looking for "sanesecurity" or "msrbl". -- Kelson Vibber SpeedGate Communications
Re: Now its zip attachments ^^
Chr. v. Stuckrad wrote: Did somebody of you create an extra 'instance' of clamad-filter to fight spam with spam-sigs only, without scaning for virus-sigs? I'm running two instances of clamd in our mail gateway. One instance has the stock signatures (minus phishing sigs) and is used before SpamAssassin. If this hits, the mail is silently quarantined. The other instance has the SaneSecurity and Malware sigs loaded as well as the stock phishing sigs and triggeres on some stuff the normal instance doesn't. This is used by SpamAssassin using the ClamAV plugin so it just contributes to the SA score. Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Now its zip attachments ^^
You mean my not smoking and never have smoked status gets me drummed out of the neo-con corps? What will those who know me and think I am somewhere off to the right of would be astonished. But then my friends on the right figure I am quite "squishy" as a "conservative." Ah well. I grew up outside the out group and I guess I'm still not a pigeon to stuff in a hole. {^_-} - Original Message - From: "Thomas Raef" <[EMAIL PROTECTED]> Wait, would that ban on smoking include cigars too? Are regular neo-cons okay? Please delete. -Original Message- From: Jerry Glomph Black [mailto:[EMAIL PROTECTED] I would start by banning Outlook along with attachments. Why stop there, ban -all- Microsoft products from the internet. Next, I would ban smoking, unhealthy foods, and moronic neo-cons. Come on, this is Earth we are talking about. The whole point of SpamAssassin is to attempt to make ordinary people's use of email tolerable again, under the onslaught of crap. SA, along with the various external services it employs, does a fantastic job, thanks to a great bunch of guys who appear here every day. _ On Mon, 23 Jul 2007, John Rudd wrote: Matus UHLAR - fantomas wrote: On 22.07.07 18:47, John Rudd wrote: As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. some people just want, some just need attachments. "some people just want" -- yup, no disagreement there. No matter how many alternatives you give them, some people just want the ease and convenience of attachments. "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way.
Re: Now its zip attachments ^^
From: "Dave Pooser" <[EMAIL PROTECTED]> "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way. In fact, nobody _NEEDS_ email, because we could just FTP text files around and then IM each other to say "I dropped a message in your FTP inbox." But in real twenty-first-century life, our users expect email to be a combination of near-real-time communications and file transfer, and since they're the people who are responsible for our getting paid it seems worthwhile to deliver what they expect instead of getting hung up on the purpose of email as defined in 1970-whatever. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com And I often feel like I am trying to train cats to herd mice. {^_-}
Re: Now its zip attachments ^^
From: "John Rudd" <[EMAIL PROTECTED]> Matus UHLAR - fantomas wrote: On 22.07.07 18:47, John Rudd wrote: As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. some people just want, some just need attachments. "some people just want" -- yup, no disagreement there. No matter how many alternatives you give them, some people just want the ease and convenience of attachments. "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way. I could send files to my customer other ways. But ANY alternative way involves opening a security hole in his mind, on my machines, or both. If he gets used to retrieving files via ftp when I send him email with a link, he's in trouble. If I open an ftp port that is one more firewall security hole for me. If I throw the files onto my ISP's web facilities that's one more hole for the whole project if somebody guesses the name used. The same applies for http and a host of other alternatives. His son and I have almost trained him not to click on links in email unless he scrutinizes the link and knows exactly where it goes, which is not possible with many email programs. (He uses AOL, which is a security hole in itself judging from how badly his computer was infected the last time we all checked.) We also have almost trained him to check attachments CAREFULLY before opening them. Is he sure he knows what they are, that they are from a trustworthy source, and that he was expecting the attachment. (He is a good salesman who knows his business. He's not very technically minded, which leaves him vulnerable.) If I have to get new telecommuting files to him I have to settle on which vulnerability to allow. (I am NOT going to VPN into his network, both for his security and mine. Setting it up on his network is pretty much out of the question, anyway.) You just can't win, John. All you can do is try to stay ahead of the game. {^_^}
Re: Now its zip attachments ^^
Chr. v. Stuckrad wrote: On Mon, 23 Jul 2007, John Scully wrote: ... After adding the sanesecurity sigs to clamd last week not one PDF has made it through. And since clamd unpacks and examines every attachment anyway it is no additional load. In fact, due to the messages not hitting SA it probably reduced load slightly. I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) We *only* TAG spam with headers, then users decide to drop, move, or read it. So if I 'simply insert' those clamav sigs, spam would be handled as a virus, not as 'our spam', which I'm not allowed to destroy. Did somebody of you create an extra 'instance' of clamad-filter to fight spam with spam-sigs only, without scaning for virus-sigs? Does that sound feasible? The clamav helper I'm working on for CommuniGate Pro can do exactly that. You could have: a) clamav #1 running with regular signatures, detecting viruses and phishing, rejecting them or adding a set of headers that say "this is a virus". b) clamav #2 running against 3rd party scanners, and generating different headers that say "this is something else". You could even do it as 5 different instances (1 for base clamav sigs, 1 for each of the signature files from sanesecurity, 1 for each of the signature files from msrbl), and mark them accordingly. I have no idea if anyone is doing something similar for other clamav mechanisms.
Re: Now its zip attachments ^^
Per Jessen wrote: John Rudd wrote: "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way. That is very similar to saying that a person does not NEED a car - he could just walk. Or take the bus or a train. Or all three combined. Or ride a bike. However, the difference from the car analogy is that there's actually quite a bit that does require a car in modern life. There isn't anything that needs an attachment.
Re: Now its zip attachments ^^
hi, On Mon, Jul 23, 2007 at 10:13:22PM +0200, Matthias Keller told us: > Using amavisd-new... actually, with amavisd-new, you can treat virus names in a special way via regexes, so that it doesn't get recognized as a virus, but instead you can add extra points to the spamassassin score. This feature is available from version 2.5.0 (IIRC), look at @virus_name_to_spam_score_maps, e.g. @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'=> undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], # [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc) # (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], )); Sven -- Linux zion.homelinux.com 2.6.20-1.2962.fc6xen #1 SMP Tue Jun 19 19:47:34 EDT 2007 i686 athlon i386 GNU/Linux 23:10:18 up 13 days, 9:53, 1 user, load average: 0.09, 0.42, 0.55 pgpdUzO1Ec6H2.pgp Description: PGP signature
Re: Now its zip attachments ^^
On Mon, 23 Jul 2007, Chr. v. Stuckrad wrote: > On Mon, 23 Jul 2007, John Scully wrote: > > >... After adding the sanesecurity sigs to clamd last > > week not one PDF has made it through. And since clamd unpacks and examines > > every attachment anyway it is no additional load. In fact, due to the > > messages not hitting SA it probably reduced load slightly. > > I have a 'political problem' with that. We 'drop' knowv viruses into > a quarantine directory without further notice, and only once in years > somebody complained and wanted his virus back :-) > > We *only* TAG spam with headers, then users decide to drop, move, or read it. > > So if I 'simply insert' those clamav sigs, spam would be handled as a virus, > not as 'our spam', which I'm not allowed to destroy. > > Did somebody of you create an extra 'instance' of clamad-filter to fight > spam with spam-sigs only, without scaning for virus-sigs? Does that > sound feasible? > > Stucki Doing exactly that here, easily done. Create two instances of "clamd" (same binary, different config files with different "DatabaseDirectory"s). First instance has only standard AV sigs, second "DatabaseDirectory" has all supplemental sigs. One trick, in the second "DatabaseDirectory" make 'daily.inc' and 'main.inc' be soft-links pointing to the real subdirectories in the first "DatabaseDirectory". That way you only need to run one instance of freshclam to keep everything up-2-date for the standard ClamAV sigs. Install the ClamAVPlugin in your SA, config it to 'talk' to the second clamd instance, score appropriately. You can then also try out the experimental anti-phishing features in the second clamd instance with less risk of loosing messages. More details upon request. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Now its zip attachments ^^
Chr. v. Stuckrad wrote: On Mon, 23 Jul 2007, John Scully wrote: ... After adding the sanesecurity sigs to clamd last week not one PDF has made it through. And since clamd unpacks and examines every attachment anyway it is no additional load. In fact, due to the messages not hitting SA it probably reduced load slightly. I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) We *only* TAG spam with headers, then users decide to drop, move, or read it. So if I 'simply insert' those clamav sigs, spam would be handled as a virus, not as 'our spam', which I'm not allowed to destroy. Did somebody of you create an extra 'instance' of clamad-filter to fight spam with spam-sigs only, without scaning for virus-sigs? Does that sound feasible? What I did for nearly the same reason is: Using amavisd-new which scans ONLY the attachments - which is OK for me, when these PDF get treated as virus. But I didn't want the other (especially scam, spam and stuff) rules to treat the mail as virus... So I added the clamplugin to SA which receives the WHOLE mail and sorts out the rest then... This is configurable in amavisd-new if you want to hand the full mail to clamav or only the attachments - this solved the problem for me. If you want it to be more separate, you'll have to run two clamav instances which isn't that hard either but uses a bit more resources... You basically just need a separate startup script and a second directory with the signatures and a config file pointing to them - I vaguely remember having seen instructions for such a setup somewhere on msrbl or sanesecurity if I'm not mistaken. Matt
Re: Now its zip attachments ^^
On Mon, 23 Jul 2007, John Scully wrote: >... After adding the sanesecurity sigs to clamd last > week not one PDF has made it through. And since clamd unpacks and examines > every attachment anyway it is no additional load. In fact, due to the > messages not hitting SA it probably reduced load slightly. I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) We *only* TAG spam with headers, then users decide to drop, move, or read it. So if I 'simply insert' those clamav sigs, spam would be handled as a virus, not as 'our spam', which I'm not allowed to destroy. Did somebody of you create an extra 'instance' of clamad-filter to fight spam with spam-sigs only, without scaning for virus-sigs? Does that sound feasible? Stucki
Re: Now its zip attachments ^^
John Rudd wrote: > "some just need" -- no, I can't agree there. I have yet to come > across > ANY situation where a person _NEEDED_ attachments. As I said above, > there's nothing that can be done with attachments that you can't do > another way. That is very similar to saying that a person does not NEED a car - he could just walk. Or take the bus or a train. Or all three combined. /Per Jessen, Zürich
Re: Now its zip attachments ^^
I have to mention how pleased we are with the sanesecurity clamav tool. We have always used spamassassin with many custom rule sets, dcc and rbls, with clamd for virus scanning. We have been getting a large number (~4,500 per day) of these PDF and other attachment spams making it through SA, even with PDFinfo and everything else we could throw at them. After adding the sanesecurity sigs to clamd last week not one PDF has made it through. And since clamd unpacks and examines every attachment anyway it is no additional load. In fact, due to the messages not hitting SA it probably reduced load slightly. John P. Scully President/CTO iSupportISP LLC 33 North high st Suite 1000 Columbus, OH 43215 614-586-4040 614-226-6110 Mobile 614-586-4044 Fax [EMAIL PROTECTED] Your Private Label Internet and Digital Phone Provider - Original Message - From: "Robert Schetterer" <[EMAIL PROTECTED]> To: Sent: Monday, July 23, 2007 5:15 AM Subject: Re: Now its zip attachments ^^ > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Robert Schetterer schrieb: > > Matus UHLAR - fantomas schrieb: > >>> Hendrik Helmvoigt wrote: > >>>> This night it seems like we're beeing spammed again by xml documents, > >>>> but this time neatly packed into a zipfile: > >>>> > >>>> I'm really excited whats going to happen next. Maybe psd files embedded > >>>> in pdf and then rar'ed. > >>>> > >>>> And i'd still like to meet the person that goes through all that trouble > >>>> to read that spam, and then performs the action that the spammer wants > >>> >from him. > >> On 22.07.07 18:47, John Rudd wrote: > >>> As I've said for years: we should just ban attachments. They're not > >>> really useful for anything that can't be done a better way. Which only > >>> leaves them being useful for attacks of one form or another. > >> some people just want, some just need attachments. I think that if a filter > >> (word plugin is used with different meaning in SA) would preprocess/convert > >> those attachments to text, SA could just run standard rules over it and > >> catch unwelcome words, do BAYES check over it, etc etc. > > > >> So the words "dear winner" would match no matter if stored in text, HTML, > >> .doc (tnef), gif or pdf ... > > > >> Is there any such plan for SA? > > Hi all, > > meanwhile > > http://sanesecurity.co.uk/clamav/ > > catches also these zip spam > > i forgot > read the story here > > http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-to-zipped-xls-stock.html > > and thx to steve for its work > > - -- > Mit freundlichen Gruessen > Best Regards > > Robert Schetterer > > https://www.schetterer.org > Germany > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFGpHGXfGH2AvR16oERAtV7AJ4+brYiSRH6Vw2lPVhJyKQ5tmUhlgCfWk77 > QiSPZGpUdTKEWesgbfVh7So= > =W6Xw > -END PGP SIGNATURE- > >
RE: Now its zip attachments ^^
Wait, would that ban on smoking include cigars too? Are regular neo-cons okay? Please delete. -Original Message- From: Jerry Glomph Black [mailto:[EMAIL PROTECTED] Sent: Monday, July 23, 2007 10:32 AM To: John Rudd Cc: users@spamassassin.apache.org Subject: Re: Now its zip attachments ^^ I would start by banning Outlook along with attachments. Why stop there, ban -all- Microsoft products from the internet. Next, I would ban smoking, unhealthy foods, and moronic neo-cons. Come on, this is Earth we are talking about. The whole point of SpamAssassin is to attempt to make ordinary people's use of email tolerable again, under the onslaught of crap. SA, along with the various external services it employs, does a fantastic job, thanks to a great bunch of guys who appear here every day. _ On Mon, 23 Jul 2007, John Rudd wrote: > Matus UHLAR - fantomas wrote: > >> On 22.07.07 18:47, John Rudd wrote: >>> As I've said for years: we should just ban attachments. They're not >>> really useful for anything that can't be done a better way. Which only >>> leaves them being useful for attacks of one form or another. >> >> some people just want, some just need attachments. > > "some people just want" -- yup, no disagreement there. No matter how many > alternatives you give them, some people just want the ease and convenience of > attachments. > > > "some just need" -- no, I can't agree there. I have yet to come across ANY > situation where a person _NEEDED_ attachments. As I said above, there's > nothing that can be done with attachments that you can't do another way. >
Re: Now its zip attachments ^^
On Monday 23 July 2007, Jerry Glomph Black wrote: >I would start by banning Outlook along with attachments. >Why stop there, ban -all- Microsoft products from the internet. > >Next, I would ban smoking, unhealthy foods, and moronic neo-cons. > >Come on, this is Earth we are talking about. > >The whole point of SpamAssassin is to attempt to make ordinary people's use > of email tolerable again, under the onslaught of crap. SA, along with the > various external services it employs, does a fantastic job, thanks to a > great bunch of guys who appear here every day. I'll probably have to stand in line longer than my kidneys will hold out, but I have to say a hearty Amen! to those that do help here. It is much appreciated. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Blessed is he who expects no gratitude, for he shall not be disappointed. -- W.C. Bennett
Re: Now its zip attachments ^^
John Rudd wrote: Matus UHLAR - fantomas wrote: On 22.07.07 18:47, John Rudd wrote: As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. some people just want, some just need attachments. "some people just want" -- yup, no disagreement there. No matter how many alternatives you give them, some people just want the ease and convenience of attachments. "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way. Of course these things COULD be done another way. But not always as easily or as quickly as with attachments. Can you recommend a quick and easy replacement to attachments when my boss wants me to send him an excel file he needs for a meeting with an auditor? 1. FTP? Easy for me to setup and upload the file to the server. But now my boss has to open an ftp client (yes you can use a browser but does he know this?) He doesnt even know what ftp is..and now he needs to use a username and password just to get this file I could have easily emailed him? Too much work on his part. 2. Put it up on our company intranet? This is somewhat less work than ftp but since it is publicly accessible (inside our organization), there would need to be some authentication. This ALMOST worked for us here except for that time when the ceo needed a report sent to him but he was not in the building. He wanted it on his blackberry..hmm..how to get a report to a blackberry remotely without email and attachments? 3. ??
Re: Now its zip attachments ^^
I would start by banning Outlook along with attachments. Why stop there, ban -all- Microsoft products from the internet. Next, I would ban smoking, unhealthy foods, and moronic neo-cons. Come on, this is Earth we are talking about. The whole point of SpamAssassin is to attempt to make ordinary people's use of email tolerable again, under the onslaught of crap. SA, along with the various external services it employs, does a fantastic job, thanks to a great bunch of guys who appear here every day. _ On Mon, 23 Jul 2007, John Rudd wrote: Matus UHLAR - fantomas wrote: On 22.07.07 18:47, John Rudd wrote: As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. some people just want, some just need attachments. "some people just want" -- yup, no disagreement there. No matter how many alternatives you give them, some people just want the ease and convenience of attachments. "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way.
Re: Now its zip attachments ^^
> "some just need" -- no, I can't agree there. I have yet to come across > ANY situation where a person _NEEDED_ attachments. As I said above, > there's nothing that can be done with attachments that you can't do > another way. In fact, nobody _NEEDS_ email, because we could just FTP text files around and then IM each other to say "I dropped a message in your FTP inbox." But in real twenty-first-century life, our users expect email to be a combination of near-real-time communications and file transfer, and since they're the people who are responsible for our getting paid it seems worthwhile to deliver what they expect instead of getting hung up on the purpose of email as defined in 1970-whatever. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna
Re: Now its zip attachments ^^
Matus UHLAR - fantomas wrote: On 22.07.07 18:47, John Rudd wrote: As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. some people just want, some just need attachments. "some people just want" -- yup, no disagreement there. No matter how many alternatives you give them, some people just want the ease and convenience of attachments. "some just need" -- no, I can't agree there. I have yet to come across ANY situation where a person _NEEDED_ attachments. As I said above, there's nothing that can be done with attachments that you can't do another way.
RE: Now its zip attachments ^^
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, July 23, 2007 3:03 AM > To: Hendrik Helmvoigt > Cc: users@spamassassin.apache.org > Subject: Re: Now its zip attachments ^^ > > 1) Spammers just want to exasperate the smaller spam filter > providers by sending worthless spam. I have heard so many > times the stupid declaration that spamassassin is "useless". The positive results of the stock pump and dump shows just how stupid the end users are! > > > 2) The Anti-spam giants ( with so many takeovers very few > players left now ) are funding these spammers for obvious reasons Spammers harvesting email addresses from usenet groups: news.admin.net-abuse.email, and from anti-spam mailing lists shows just hos stupid the spammers are. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Now its zip attachments ^^
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Schetterer schrieb: > Matus UHLAR - fantomas schrieb: >>> Hendrik Helmvoigt wrote: This night it seems like we're beeing spammed again by xml documents, but this time neatly packed into a zipfile: I'm really excited whats going to happen next. Maybe psd files embedded in pdf and then rar'ed. And i'd still like to meet the person that goes through all that trouble to read that spam, and then performs the action that the spammer wants >>> >from him. >> On 22.07.07 18:47, John Rudd wrote: >>> As I've said for years: we should just ban attachments. They're not >>> really useful for anything that can't be done a better way. Which only >>> leaves them being useful for attacks of one form or another. >> some people just want, some just need attachments. I think that if a filter >> (word plugin is used with different meaning in SA) would preprocess/convert >> those attachments to text, SA could just run standard rules over it and >> catch unwelcome words, do BAYES check over it, etc etc. > >> So the words "dear winner" would match no matter if stored in text, HTML, >> .doc (tnef), gif or pdf ... > >> Is there any such plan for SA? > Hi all, > meanwhile > http://sanesecurity.co.uk/clamav/ > catches also these zip spam i forgot read the story here http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-to-zipped-xls-stock.html and thx to steve for its work - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGpHGXfGH2AvR16oERAtV7AJ4+brYiSRH6Vw2lPVhJyKQ5tmUhlgCfWk77 QiSPZGpUdTKEWesgbfVh7So= =W6Xw -END PGP SIGNATURE-
Re: Now its zip attachments ^^
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matus UHLAR - fantomas schrieb: >> Hendrik Helmvoigt wrote: >>> This night it seems like we're beeing spammed again by xml documents, >>> but this time neatly packed into a zipfile: >>> >>> I'm really excited whats going to happen next. Maybe psd files embedded >>> in pdf and then rar'ed. >>> >>> And i'd still like to meet the person that goes through all that trouble >>> to read that spam, and then performs the action that the spammer wants >> >from him. > > On 22.07.07 18:47, John Rudd wrote: >> As I've said for years: we should just ban attachments. They're not >> really useful for anything that can't be done a better way. Which only >> leaves them being useful for attacks of one form or another. > > some people just want, some just need attachments. I think that if a filter > (word plugin is used with different meaning in SA) would preprocess/convert > those attachments to text, SA could just run standard rules over it and > catch unwelcome words, do BAYES check over it, etc etc. > > So the words "dear winner" would match no matter if stored in text, HTML, > .doc (tnef), gif or pdf ... > > Is there any such plan for SA? Hi all, meanwhile http://sanesecurity.co.uk/clamav/ catches also these zip spam - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGpHENfGH2AvR16oERAiqDAJ4uK6HD1Zvnz/dLb5+NeO5dtYSLJACeJwqN Y899WBOLLZz8G0UoSQw3KrQ= =cDw5 -END PGP SIGNATURE-
Re: Now its zip attachments ^^
> Hendrik Helmvoigt wrote: > >This night it seems like we're beeing spammed again by xml documents, > >but this time neatly packed into a zipfile: > > > >I'm really excited whats going to happen next. Maybe psd files embedded > >in pdf and then rar'ed. > > > >And i'd still like to meet the person that goes through all that trouble > >to read that spam, and then performs the action that the spammer wants > >from him. On 22.07.07 18:47, John Rudd wrote: > As I've said for years: we should just ban attachments. They're not > really useful for anything that can't be done a better way. Which only > leaves them being useful for attacks of one form or another. some people just want, some just need attachments. I think that if a filter (word plugin is used with different meaning in SA) would preprocess/convert those attachments to text, SA could just run standard rules over it and catch unwelcome words, do BAYES check over it, etc etc. So the words "dear winner" would match no matter if stored in text, HTML, .doc (tnef), gif or pdf ... Is there any such plan for SA? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: Now its zip attachments ^^
On Mon, 2007-07-23 at 03:35 +0200, Hendrik Helmvoigt wrote: > This night it seems like we're beeing spammed again by xml documents, > but this time neatly packed into a zipfile: > > I'm really excited whats going to happen next. Maybe psd files embedded > in pdf and then rar'ed. > > And i'd still like to meet the person that goes through all that trouble > to read that spam, and then performs the action that the spammer wants > from him. > You are right in that. I dont think spammers are getting any positive hits. Probably the spammer of today no longer wishes to reach the end user with such mails IMHO it is either that 1) Spammers just want to exasperate the smaller spam filter providers by sending worthless spam. I have heard so many times the stupid declaration that spamassassin is "useless". 2) The Anti-spam giants ( with so many takeovers very few players left now ) are funding these spammers for obvious reasons > arni
RE: Now its zip attachments ^^
Not sure I agree about banning all attachments, but I would like to ban all email with fonts as BIG as people can find and those which use any kind of background stationary.
Re: Now its zip attachments ^^
On Sun, July 22, 2007 6:47 pm, John Rudd wrote: > For multi-lingual reasons, just allow pain ascii or unicode, and throw > away any messages with any body types other than that. I'd like to ban all those people who write in the tiniest font they can find. Then there's my one brother who always has the dancing bears, etc. in his messages. I tend to reply with bright green on yellow. :) -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California USA tel: +1 408 356-3886, USA toll free: 1 866 356-3886 web: www.interstellar.com, skype: jerrydurand
Re: Now its zip attachments ^^
Hendrik Helmvoigt wrote: This night it seems like we're beeing spammed again by xml documents, but this time neatly packed into a zipfile: I'm really excited whats going to happen next. Maybe psd files embedded in pdf and then rar'ed. And i'd still like to meet the person that goes through all that trouble to read that spam, and then performs the action that the spammer wants from him. As I've said for years: we should just ban attachments. They're not really useful for anything that can't be done a better way. Which only leaves them being useful for attacks of one form or another. Just junk'em and be done with it. For multi-lingual reasons, just allow pain ascii or unicode, and throw away any messages with any body types other than that.
Now its zip attachments ^^
This night it seems like we're beeing spammed again by xml documents, but this time neatly packed into a zipfile: I'm really excited whats going to happen next. Maybe psd files embedded in pdf and then rar'ed. And i'd still like to meet the person that goes through all that trouble to read that spam, and then performs the action that the spammer wants from him. arni