Re: new emotet campain

[Riccardo Alfieri]

On 18/09/19 21:05, Amir Caspi wrote:



Since the return code for the domain is specifically regarding 
malware, shouldn't the score be higher?  I would imagine the purpose 
of the unique Spamhaus return codes is to enable such granularity in 
scoring on the user end...



I can't speak about SA scoring politics because we are not directly 
involved in the project. What I can say is that we flag legitimate 
domains that are abused to distribute malware. In example:


http://drapart[dot]org/Prensa/k0viv68-5v5-2137/

The website itself is legit, but that particular path is hosting Emotet. 
As of now SA checks only the drapart[dot]org domain against DBL (and 
others) and gives you back a score according to masschecks. You can't 
outright say that *every* drapart[dot]org urls are malicious, because 
most of them really aren't.


So, as of now, if you don't care so much about FPs, just shortcircuit 
DBL responses to spam. There are some new functions in SA 3.4.3 that 
could help with better sniping, but that's something that has still to come.


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: new emotet campain

[Amir Caspi]

On Sep 18, 2019, at 3:19 AM, Riccardo Alfieri  
wrote:
> 
> You are correct, URLhaus domains enter DBL as abused legit malware, but the 
> default SA score is not enough to mark the email as spam (and that's correct 
> as it checks only the domain).

Since the return code for the domain is specifically regarding malware, 
shouldn't the score be higher?  I would imagine the purpose of the unique 
Spamhaus return codes is to enable such granularity in scoring on the user 
end...

Cheers.

--- Amir

Re: new emotet campain

[Henrik K]

On Wed, Sep 18, 2019 at 09:19:17AM +, Riccardo Alfieri wrote:
> On 17/09/19 20:54, Amir Caspi wrote:
> 
> >Based on https://feodotracker.abuse.ch/mitigate/, it looks like both
> >Spamhaus DBL and SURBL are fed by URLhaus.  Spamhaus returns 127.0.1.105
> >for URLs fed from URLhaus.  Doesn't SA already handle this, then, for URLs
> >it processes, since it uses the DBL?
> >
> >I know Riccardo sent an email about a new plugin for SA, but I don't know
> >if it's yet implemented in release... but maybe that's not required since
> >the DBL doesn't require DQS.
> >
> You are correct, URLhaus domains enter DBL as abused legit malware, but the
> default SA score is not enough to mark the email as spam (and that's correct
> as it checks only the domain).
> 
> The recommended way would be to use Clamav signatures, or, if you really
> can't, create uri rules based on https://urlhaus.abuse.ch/downloads/csv/

SA 3.4.3 will have HashBL check_hashbl_uris eval function.  One can then
generate local sha1'd rbldnsd list and use it.

Re: new emotet campain

[Riccardo Alfieri]

On 17/09/19 20:54, Amir Caspi wrote:

Based on https://feodotracker.abuse.ch/mitigate/, it looks like both 
Spamhaus DBL and SURBL are fed by URLhaus.  Spamhaus returns 
127.0.1.105 for URLs fed from URLhaus.  Doesn't SA already handle 
this, then, for URLs it processes, since it uses the DBL?


I know Riccardo sent an email about a new plugin for SA, but I don't 
know if it's yet implemented in release... but maybe that's not 
required since the DBL doesn't require DQS.


You are correct, URLhaus domains enter DBL as abused legit malware, but 
the default SA score is not enough to mark the email as spam (and that's 
correct as it checks only the domain).


The recommended way would be to use Clamav signatures, or, if you really 
can't, create uri rules based on https://urlhaus.abuse.ch/downloads/csv/


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: new emotet campain

[Amir Caspi]

On Sep 17, 2019, at 12:15 PM, John Hardin  wrote:
> 
> On Tue, 17 Sep 2019, hg user wrote:
> 
>> It is a "dumb" rule but the quicker I could create.
>> 
>> https://pastebin.com/bxRSds7a
> 
> Suggestions:
> 
> (1) use a URI rule rather than a BODY rule
> 
> (2) escape the periods; you want to match a period, not any-character.

Based on https://feodotracker.abuse.ch/mitigate/ 
, it looks like both Spamhaus DBL and 
SURBL are fed by URLhaus.  Spamhaus returns 127.0.1.105 for URLs fed from 
URLhaus.  Doesn't SA already handle this, then, for URLs it processes, since it 
uses the DBL?

I know Riccardo sent an email about a new plugin for SA, but I don't know if 
it's yet implemented in release... but maybe that's not required since the DBL 
doesn't require DQS.

--- Amir

Re: new emotet campain

[John Hardin]

On Tue, 17 Sep 2019, hg user wrote:


It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a


Suggestions:

(1) use a URI rule rather than a BODY rule

(2) escape the periods; you want to match a period, not any-character.



On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:


A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
and I created a rule... I don't know if is it possible to share (via
pastebin) the rule I created to have feedback from the experts...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 Today: the 232nd anniversary of the signing of the U.S. Constitution

Re: new emotet campain

[hg user]

these rules are from "epoch 2" campain and according to the docs are
included in the email...
as far as i understand

i don't have clamav active in this moment

On Tuesday, September 17, 2019, Axb  wrote:

> I doubt you'll see many hits on that rule as I'd expect most URIS being
> included in the infected attachments.
> Imo, the ClamAV sigs make more sense.
>
> On 9/17/19 12:36 PM, hg user wrote:
>
>> It is a "dumb" rule but the quicker I could create.
>>
>> https://pastebin.com/bxRSds7a
>>
>> On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:
>>
>> If possible please share it here?
>>>
>>> On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:
>>>
>>> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
 and I created a rule... I don't know if is it possible to share (via
 pastebin) the rule I created to have feedback from the experts...


>>>
>>
>

Re: new emotet campain

[Axb]

I doubt you'll see many hits on that rule as I'd expect most URIS being 
included in the infected attachments.

Imo, the ClamAV sigs make more sense.

On 9/17/19 12:36 PM, hg user wrote:

It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a

On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:


A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
and I created a rule... I don't know if is it possible to share (via
pastebin) the rule I created to have feedback from the experts...

Re: new emotet campain

[hg user]

It is a "dumb" rule but the quicker I could create.

https://pastebin.com/bxRSds7a

On Tue, Sep 17, 2019 at 11:59 AM Blason R  wrote:

> If possible please share it here?
>
> On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:
>
>> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
>> and I created a rule... I don't know if is it possible to share (via
>> pastebin) the rule I created to have feedback from the experts...
>>
>

Re: new emotet campain

[Riccardo Alfieri]

On 17/09/19 11:59, Blason R wrote:


If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user > wrote:


A new emotet campain is in progress
(https://twitter.com/Cryptolaemus1) and I created a rule... I
don't know if is it possible to share (via pastebin) the rule I
created to have feedback from the experts...


Hi,

not really SpamAssassin related, but for anyone concerned about Emotet, 
I suggest using URLhaus Clamav signatures: 
https://urlhaus.abuse.ch/api/#clamav


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: new emotet campain

[Blason R]

If possible please share it here?

On Tue, Sep 17, 2019 at 3:20 PM hg user  wrote:

> A new emotet campain is in progress (https://twitter.com/Cryptolaemus1)
> and I created a rule... I don't know if is it possible to share (via
> pastebin) the rule I created to have feedback from the experts...
>