Re: SA cannot block messages with attached zip
On Wed, 13 Jul 2016, Chip M. wrote: P.P.S. Today's new malware morph is a single zipped javascript file, where the script filename ends with "..wsf". Is the double dot just a mistake, or does that confuse anything? That's very likely an attempt to bypass "double-extension" filter checks that expect the first extension to actually be present (e.g. something like /\.[a-z]{1,3}\.wsf$/ ). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 3 days until the 71st anniversary of the dawn of the Atomic Age
Re: SA cannot block messages with attached zip
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote: >Meanwhile, there is RTF spam that's circulating which is >currently bypassing the sanesecurity sigs. I've just submitted a >sample to Steve, but the db hasn't yet been updated. Here's a >sample: > >http://pastebin.com/ALsSAmwa Alex, thanks for the spample! :) I've seen a steady trickle of those, since late April. That file attachment is actually the way-kewl "Office Open XML" format, with an embedded VBA binary file, just like last week's main vector for "Zepto" (a new ransomware morph), except those used the (more correct) file extension ".docm". The way-kewl thing about this file format is that they're completely standard zip files, containing a mix of other mostly standard files (e.g. XML, JPEGs). In general, they're very easy to parse (no obscure Microsoft OLE/etc in the main files). The VBA is always in a file named "vbaproject.bin". Since filenames in zip files are stored unaltered, it's just a matter of de-MIME-ing the file, and scanning for the filename. You do _NOT_ have to parse the zip file, just look for that one simple string. :) (Pedantic note: Technically, there's another file named "vbaProject.bin.rels" which is a plain text XML file. Theoretically, you may want to exclude it, but practically, I wouldn't bother - it seems to always occur with the binary ".bin" file, so just nuke/quarantine them all.) A couple of years ago, I changed my post-SA Filter so it always tests the first few "raw" characters of every MIME Part, and if they're the prefix that means PKZip, I de-MIME it and send it thru my zip analyzer, regardless of ContentType or file ext. I got fed up with all the Spammer Stupid Part Tricks, and it's blindingly fast to check the prefix. :) - "Chip" P.S. Thanks everyone for the followups on how Foxhole handles stuff. :) P.P.S. Today's new malware morph is a single zipped javascript file, where the script filename ends with "..wsf". Is the double dot just a mistake, or does that confuse anything?
Re: SA cannot block messages with attached zip
On 2016-06-08 23:23, Alex wrote: http://pastebin.com/ALsSAmwa this sample can be reported to dnswl
Re: SA cannot block messages with attached zip
Meanwhile, there is RTF spam that's circulating which is currently bypassing the sanesecurity sigs. I've just submitted a sample to Steve, but the db hasn't yet been updated. Here's a sample: http://pastebin.com/ALsSAmwa The pattern to temporarily stop them involves a meta with __DOC_ATTACH_MT and some body rules. Other ideas welcome. On Wed, Jun 8, 2016 at 5:08 PM, Paul Steadwrote: > > > On 08/06/16 21:39, Paul Stead wrote: > > > > BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:* > > > Should point out that this may be prone to false positives. The Sane sigs > are scored low, med, high FP risk and can be installed as such. > -- > Paul Stead > Systems Engineer > Zen Internet
Re: SA cannot block messages with attached zip
On 08/06/16 21:39, Paul Stead wrote: BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:* Should point out that this may be prone to false positives. The Sane sigs are scored low, med, high FP risk and can be installed as such. -- Paul Stead Systems Engineer Zen Internet
Re: SA cannot block messages with attached zip
On 08/06/16 20:59, Chip M. wrote: I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_ block on ".js" file extension, whereas you/Dianne do: More relevant for the ClamAV/Sanesecurity list, hope this isn't looked down upon. I'm not sure if Steve is on the list but I'll do my best to answer. "This database will block most JavaScript (.js) files within within Zip, Rar files" ... "To help minimise false positives, this database will only scan small sized Zip and Rar files." *** Questions: *1. Could someone clarify whether Foxhole is using some sort of signatures on ".js" files? "The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions." Here's one example rule from foxhole_js.cdb ---8<--- Sanesecurity.Foxhole.JS_Zip_1:CL_TYPE_ZIP:*:\.([Jj][Ss])$:0-512000:*:0:1:*:* ---8<--- cdb files have the following format: VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]] You could adjust rules if needed. Steve is also very helpful and responsive. *2. How did Foxhole perform on the recent campaign with duplicate large zipped js files (e.g. 5 files of 236 kilobytes each)? There was also a campaign with a single large file (e.g. 604 kilobytes), with most of the payload at the end. I suspect both campaigns were attempts to bypass sig based scanners. The js detection was recently upped from 256 kilobytes based on list feedback - as you see the 512 kilobytes it is currently at is the FileSizeInContainer - "usually compressed size". I have had a very positive experience with these signatures over all I'm with Dianne on outright blocking js files, AND making highly selective holes for specific sender/recipient pairs. We can block any JS file with Zips, 7zip, rar, arj, cab... Foxhole.ZIP.JS:CL_TYPE_ZIP:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.7Z.JS:CL_TYPE_7Z:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.RAR.JS:CL_TYPE_RAR:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.ARJ.JS:CL_TYPE_ARJ:*:\.[Jj][Ss]$:*:*:*:*:*:* Foxhole.CAB.JS:CL_TYPE_CAB:*:\.[Jj][Ss]$:*:*:*:*:*:* ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ, CL_TYPE_MSCAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR, CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container types listed here or... BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:* *3. Is the list of file extensions on the Foxhole page complete? http://sanesecurity.com/foxhole-databases/ The page is missing the following (and perhaps others): .acm .ax .dll .drv .efi .mui .ocx .tsp I verified that all of those actually occur and are executable on a Windows7 machine. Those extensions aren't listed within the Foxhole databases, I'll feed this back via their mailing list - might be worth popping along? I recently added the MagicNumber for "old" style doc files, just for files inside zips (when they appeared, as mentioned in my previous post). This could be accomplished with yara rules within ClamAV too - docs on signature creation can be found here https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf Paul -- Paul Stead Systems Engineer Zen Internet
Re: SA cannot block messages with attached zip
If you think the foxhole databases are not sufficient enough and that other extensions are required, then contact Steve @ Sane to discuss/request: http://sanesecurity.com/contact-us/. I speak to him regularly and is open to feedback. Chip M. wrote > At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote: > > *3. Is the list of file extensions on the Foxhole page complete? > http://sanesecurity.com/foxhole-databases/ > The page is missing the following (and perhaps others): > .acm > .ax > .dll > .drv > .efi > .mui > .ocx > .tsp > I verified that all of those actually occur and are executable > on a Windows7 machine. -- View this message in context: http://spamassassin.1065346.n5.nabble.com/SA-cannot-block-messages-with-attached-zip-tp120785p121205.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SA cannot block messages with attached zip
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote: >We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the >latest crop of cryptolocker-style attacks. I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_ block on ".js" file extension, whereas you/Dianne do: "This database will block most JavaScript (.js) files within within Zip, Rar files" ... "To help minimise false positives, this database will only scan small sized Zip and Rar files." *** Questions: *1. Could someone clarify whether Foxhole is using some sort of signatures on ".js" files? *2. How did Foxhole perform on the recent campaign with duplicate large zipped js files (e.g. 5 files of 236 kilobytes each)? There was also a campaign with a single large file (e.g. 604 kilobytes), with most of the payload at the end. I suspect both campaigns were attempts to bypass sig based scanners. I'm with Dianne on outright blocking js files, AND making highly selective holes for specific sender/recipient pairs. I protect a few thousand accounts and we only have a handful of those holes, all for web designers. "Aim small, miss small" :) In my previous post, I mentioned "secret sauce" code to detect javascript obfuscations. That's a backup in case netscum figure out a way to use a non obvious file extension. FIRST, I do all the quick tests (file extensions, etc), then, if there's enough time, the slower/memory-heavy tests. The recent large js file campaigns took significantly longer (1/2 to 1 second) to do my extra tests, but still hit all my tests. :) *3. Is the list of file extensions on the Foxhole page complete? http://sanesecurity.com/foxhole-databases/ The page is missing the following (and perhaps others): .acm .ax .dll .drv .efi .mui .ocx .tsp I verified that all of those actually occur and are executable on a Windows7 machine. I have seen, in the wild (about a year or so ago), malware email that instructed the target to rename the attached file. :( Long before that, I had added code to decompress just the first few bytes of each zipped file, and check for executable MagicNumbers (e.g. Windows' "MZ"). I also check all MIME parts (I have a very speedy "MIME Prefix" test). I recently added the MagicNumber for "old" style doc files, just for files inside zips (when they appeared, as mentioned in my previous post). That does have a higher FP risk, since it's reasonable to zip huge doc files, however in practice they're rare, and I have an excellent Quarantine/FP pipeline. A friend sent me this cool MagicNumber look up site: filesignatures.net Any other suggestions for file types to add? - "Chip"
Re: SA cannot block messages with attached zip
I've switched from AVG File Server to ClamWin + Sanesecurity, Now It seems ok, I have to examine for false negatives, maybe I need to exclude some signatures. Here are the results for 9 hours of Sanesecurity: Passed msg: 912 Viruses detected: 446 Spam msg: 5523 AVG File Server was really really bad, it has detected less than 10 viruses per day. On Mon, May 23, 2016 at 7:29 PM, Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 21 May 2016, at 12:31, Dianne Skoll wrote: > > On Sat, 21 May 2016 12:28:48 -0400 >> "Bill Cole"wrote: >> >> On 20 May 2016, at 7:07, Dianne Skoll wrote: >>> >> >> Sorry for the non-easy answer. Doing it properly requires a non-trivial amount of coding. >>> >> I do not recall doing any real coding at all to get a steady trickle >>> of log messages like this (regarding mail NOT from Amazon): >>> >> >> May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV: >>> MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad >>> Filename,ORDER-067-8958800-7459411.zip,application/zip,< >>> auto-shipp...@amazon.com>, ,Your >>> Amazon.co.uk order has dispatched (#067-8958800-7459411) >>> >> >> Well, yes, if it's feasible to block all zip files, then it is >> trivial. However, that's not an option for us. :) >> > > Well, that particular system is one where I have extraordinary powers of > persuasion over all of the handful of users, but elsewhere where my > authority is less absolute I've found that providing easily used > alternative means of receiving files more safely makes it easier to crank > down on email constraints that paying customers would otherwise not > tolerate. One wave of mail-borne ransomware can be a persuasive experience > as well for customers who are reluctant to ask senders to do anything > "special" to send them files of suspect types, although obviously that's a > somewhat random event. >
Re: SA cannot block messages with attached zip
On 21 May 2016, at 12:31, Dianne Skoll wrote: On Sat, 21 May 2016 12:28:48 -0400 "Bill Cole"wrote: On 20 May 2016, at 7:07, Dianne Skoll wrote: Sorry for the non-easy answer. Doing it properly requires a non-trivial amount of coding. I do not recall doing any real coding at all to get a steady trickle of log messages like this (regarding mail NOT from Amazon): May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV: MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad Filename,ORDER-067-8958800-7459411.zip,application/zip, , ,Your Amazon.co.uk order has dispatched (#067-8958800-7459411) Well, yes, if it's feasible to block all zip files, then it is trivial. However, that's not an option for us. :) Well, that particular system is one where I have extraordinary powers of persuasion over all of the handful of users, but elsewhere where my authority is less absolute I've found that providing easily used alternative means of receiving files more safely makes it easier to crank down on email constraints that paying customers would otherwise not tolerate. One wave of mail-borne ransomware can be a persuasive experience as well for customers who are reluctant to ask senders to do anything "special" to send them files of suspect types, although obviously that's a somewhat random event.
Re: SA cannot block messages with attached zip
and BTW a mail from a machine listed at "pbl.spamhaus.org" (https://www.spamhaus.org/pbl/) should not make it to your content filters at all - so it appears that most people in this thread which face a high number of this problems don't setup their MTA proper no way that the sample mail makes it to smtpd at all normally Am 23.05.2016 um 15:28 schrieb Reindl Harald: Am 23.05.2016 um 15:24 schrieb Emin Akbulut: AVG or ClamAV or any other antivirus couldn't delete all these attached viruses; VirusTotal says. My mail server checks blacklists & SURBL servers. Anyway we might receive mails from unlisted IPs like zombie PCs. In the message with Zip attachment includes javascipt files contains no url in the body, so SURBL check is useless. The Spamassassin score of these messages may vary, from 0.8 to 2.6. Here is one of the latest message: http://pastebin.com/94njV9fF easy to catch as already explained /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_fs225.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.006 sec (0 m 0 s) Content analysis details: (33.5 points, 5.5 required) pts rule name description -- -- 1.0 CUST_DNSBL_27_UCE2 RBL: dnsbl-uce-2.thelounge.net (dnsbl-2.uceprotect.net) [27.67.28.43 listed in dnsbl-uce-2.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [27.67.28.43 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [27.67.28.43 listed in bl.spamcop.net] 1.0 CUST_DNSBL_26_NSZONES RBL: bl.nszones.com [27.67.28.43 listed in bl.nszones.com] 6.5 CUST_DNSBL_4_ZEN_PBL RBL: zen.spamhaus.org (pbl.spamhaus.org) [27.67.28.43 listed in zen.spamhaus.org] 5.5 CUST_DNSBL_6_ZEN_XBL RBL: zen.spamhaus.org (xbl.spamhaus.org) 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com (senderscore.com Medium) [27.67.28.43 listed in score.senderscore.com] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [27.67.28.43 listed in hostkarma.junkemailfilter.com] 5.0 CUST_DNSBL_7_CUDA RBL: b.barracudacentral.org [27.67.28.43 listed in b.barracudacentral.org] 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5086] 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.5 RCVD_IN_MSPIKE_ZBI No description available. 0.5 HELO_MISC_IP Looking for more Dynamic IP Relays signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
Am 23.05.2016 um 15:24 schrieb Emin Akbulut: AVG or ClamAV or any other antivirus couldn't delete all these attached viruses; VirusTotal says. My mail server checks blacklists & SURBL servers. Anyway we might receive mails from unlisted IPs like zombie PCs. In the message with Zip attachment includes javascipt files contains no url in the body, so SURBL check is useless. The Spamassassin score of these messages may vary, from 0.8 to 2.6. Here is one of the latest message: http://pastebin.com/94njV9fF easy to catch as already explained /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.Zip_fs225.UNOFFICIAL FOUND /var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.006 sec (0 m 0 s) Content analysis details: (33.5 points, 5.5 required) pts rule name description -- -- 1.0 CUST_DNSBL_27_UCE2 RBL: dnsbl-uce-2.thelounge.net (dnsbl-2.uceprotect.net) [27.67.28.43 listed in dnsbl-uce-2.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [27.67.28.43 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [27.67.28.43 listed in bl.spamcop.net] 1.0 CUST_DNSBL_26_NSZONES RBL: bl.nszones.com [27.67.28.43 listed in bl.nszones.com] 6.5 CUST_DNSBL_4_ZEN_PBL RBL: zen.spamhaus.org (pbl.spamhaus.org) [27.67.28.43 listed in zen.spamhaus.org] 5.5 CUST_DNSBL_6_ZEN_XBL RBL: zen.spamhaus.org (xbl.spamhaus.org) 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com (senderscore.com Medium) [27.67.28.43 listed in score.senderscore.com] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [27.67.28.43 listed in hostkarma.junkemailfilter.com] 5.0 CUST_DNSBL_7_CUDA RBL: b.barracudacentral.org [27.67.28.43 listed in b.barracudacentral.org] 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5086] 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.5 RCVD_IN_MSPIKE_ZBI No description available. 0.5 HELO_MISC_IP Looking for more Dynamic IP Relays signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
AVG or ClamAV or any other antivirus couldn't delete all these attached viruses; VirusTotal says. My mail server checks blacklists & SURBL servers. Anyway we might receive mails from unlisted IPs like zombie PCs. In the message with Zip attachment includes javascipt files contains no url in the body, so SURBL check is useless. The Spamassassin score of these messages may vary, from 0.8 to 2.6. Here is one of the latest message: http://pastebin.com/94njV9fF I've installed fresh new SpamAssassin for Windows v3.4.1 and trained for a week and cut many of the spam messages we receive. Except these zipped js attachments. My local.cf is: http://pastebin.com/VG3fhFBg My commandline is: spamd.exe -A 127.0.0.1,192.168.35.0/24 -i --max-spare=16 On Mon, May 23, 2016 at 11:05 AM, Paul Steadwrote: > > On 22/05/16 02:10, @lbutlr wrote: > > > Sure, there are 4 foxhole ones, but there are dozens on the main page > there. > > The following code allows for easy config and download of the signatures > you want. > > https://github.com/extremeshok/clamav-unofficial-sigs > > By default this will download and test the low risk signatures - do take > some time to read through the different rule types though. > > Paul > > -- > *Paul Stead* > Systems Engineer > *Zen Internet* >
Re: SA cannot block messages with attached zip
On 22/05/16 02:10, @lbutlr wrote: Sure, there are 4 foxhole ones, but there are dozens on the main page there. The following code allows for easy config and download of the signatures you want. https://github.com/extremeshok/clamav-unofficial-sigs By default this will download and test the low risk signatures - do take some time to read through the different rule types though. Paul -- Paul Stead Systems Engineer Zen Internet
Re: SA cannot block messages with attached zip
On May 21, 2016, at 1:18 PM, Reindl Haraldwrote: > Am 21.05.2016 um 21:16 schrieb @lbutlr: >> On May 20, 2016, at 6:11 AM, Reindl Harald wrote: >>> no it is not, look at the sanesecurity foxhole signatures >>> http://sanesecurity.com/usage/signatures/ >> >> I have looked at those, but there are so many it’s kind of overwhelming on >> where to start > > 4 is many and overwhelming? > > foxhole_generic.cdb See Foxhole page for more details Low > foxhole_filename.cdb See Foxhole page for more details Low > foxhole_js.cdbSee Foxhole page for more details > Med > foxhole_all.cdb See Foxhole page for more details High > > http://sanesecurity.com/foxhole-databases/ Sure, there are 4 foxhole ones, but there are dozens on the main page there. --
Re: SA cannot block messages with attached zip
Am 21.05.2016 um 21:16 schrieb @lbutlr: On May 20, 2016, at 6:11 AM, Reindl Haraldwrote: no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ I have looked at those, but there are so many it’s kind of overwhelming on where to start 4 is many and overwhelming? foxhole_generic.cdb See Foxhole page for more details Low foxhole_filename.cdbSee Foxhole page for more details Low foxhole_js.cdb See Foxhole page for more details Med foxhole_all.cdb See Foxhole page for more details High http://sanesecurity.com/foxhole-databases/ signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On May 20, 2016, at 6:11 AM, Reindl Haraldwrote: > no it is not, look at the sanesecurity foxhole signatures > http://sanesecurity.com/usage/signatures/ I have looked at those, but there are so many it’s kind of overwhelming on where to start. -- NO. I CANNOT BE BIDDEN. I CANNOT BE FORCED. I WILL DO ONLY THAT WHICH I KNOW TO BE RIGHT. --Mort
Re: SA cannot block messages with attached zip
On Sat, 21 May 2016 12:28:48 -0400 "Bill Cole"wrote: > On 20 May 2016, at 7:07, Dianne Skoll wrote: > > Sorry for the non-easy answer. Doing it properly requires a > > non-trivial amount of coding. > I do not recall doing any real coding at all to get a steady trickle > of log messages like this (regarding mail NOT from Amazon): > May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV: > MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad > Filename,ORDER-067-8958800-7459411.zip,application/zip, , ,Your > Amazon.co.uk order has dispatched (#067-8958800-7459411) Well, yes, if it's feasible to block all zip files, then it is trivial. However, that's not an option for us. :) > THANK YOU VERY MUCH FOR MIMEDEFANG! You're welcome! Regards, Dianne.
Re: SA cannot block messages with attached zip
On 20 May 2016, at 7:07, Dianne Skoll wrote: Sorry for the non-easy answer. Doing it properly requires a non-trivial amount of coding. I do not recall doing any real coding at all to get a steady trickle of log messages like this (regarding mail NOT from Amazon): May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV: MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad Filename,ORDER-067-8958800-7459411.zip,application/zip,, ,Your Amazon.co.uk order has dispatched (#067-8958800-7459411) I mean, I get how YOU would consider that the result of a non-trivial amount of coding, but for me it's just an excuse to say: THANK YOU VERY MUCH FOR MIMEDEFANG!
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 17:47:09 -0500 (CDT) David B Funkwrote: > > We do it the hard way. We list the contents of attached archives > > (using "lsar") and have filename-extension rules that block .js > > inside .zip files. While this can lead to some FPs, which we handle > > with selective whitelisting, it's very effective at catching the > > latest crop of cryptolocker-style attacks. > But isn't this exactly what the "foxhole_all.cdb" > signatures do? (or am I missing something?). Yes, mostly. The advantage of lsar is that it can look inside all kinds of weird archive formats (zip, zoo, rar, tar, tar.gz, etc.) While most malware uses zip, we've seen the occasional one using a different container file format. Regards, Dianne.
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016, Dianne Skoll wrote: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless. We do it the hard way. We list the contents of attached archives (using "lsar") and have filename-extension rules that block .js inside .zip files. While this can lead to some FPs, which we handle with selective whitelisting, it's very effective at catching the latest crop of cryptolocker-style attacks. But isn't this exactly what the "foxhole_all.cdb" (http://sanesecurity.com/foxhole-databases/) signatures do? (or am I missing something?). I see that they have a "high" risk of FPs but if you are using them as a scoring component within SA you should be able to "temper" those results with other SA rules such as selective use of whitelist_auth. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SA cannot block messages with attached zip
+1 Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family. They are #1 on our list about 50% of the time for weeks now. I got a commendation last week for prevention work, so rare in email adminning. Security team would be swimming in overtime if it weren't for foxhole_js in particular. We use all 4 of them now. Foxhole_all hasn't been a FP problem for us either, despite it being labelled high risk. We had ONE professor who couldn't email around some software, told them to use box.com instead for sharing and problem solved. From: Rick Macdougall <ri...@ummm-beer.com> Sent: Friday, May 20, 2016 7:50:46 AM To: users@spamassassin.apache.org Subject: Re: SA cannot block messages with attached zip On 2016-05-20 10:36 AM, Paul Stead wrote: > Second, the foxhole_js database is what you're looking for > > Paul > > On 20/05/16 13:11, Reindl Harald wrote: >> >> >> Am 20.05.2016 um 13:07 schrieb Dianne Skoll: >>> On Fri, 20 May 2016 09:31:48 +0300 >>> Emin Akbulut <eminakbu...@gmail.com> wrote: >>> >>>> What do you suggest to fight these spams? >>> >>> ClamAV is basically useless >> >> no it is not, look at the sanesecurity foxhole signatures >> http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] Top 10 Viruses in the last 24 hours Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860 Sanesecurity.Junk.52698.UNOFFICIAL 2798 Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925 Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626 Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649 Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623 Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414 winnow.spam.ts.xmailer.2.UNOFFICIAL 341 Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283 Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157 Regards, Rick
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 17:29 schrieb Chip M.: P.S. As of about 1700 UTC yesterday, I'm seeing significant volume of zipped macro-encrusted "doc" files /etc/clamd.d/scan.conf: ScanOLE2 yes OLE2BlockMacros yes signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
At 04:07 AM 5/20/2016, RoaringPenguin wrote: >filename-extension rules that block .js >inside .zip files. +1 We also block these scripting related Windows extensions: .hta .jse .vbs .wsf Those were originally "pre-emptive", however I've now seen both ".hta" and ".jse" in the wild (low volume). *** Question: Are there any other Windows (or Mac) scripting file extensions? As an extra layer of defense, We also do content scanning within all zipped files for terms including (among MANY others): activexobject base64_decode createobject eval fromcharcode savetofile shell unescape wscript All hits are weighted, and some can be skip-listed. Plus I recently wrote some "secret sauce" Code that looks for javascript obfuscations. :) We've had a very low FP rate on the above, and haven't had any noticeable user pushback. There have been enough high profile infections (at least two hospitals), that most endusers have been grateful and understanding. >Doing it properly requires a non-trivial amount of coding. Yes, however it's VERY satisfying Coding. :) - "Chip" P.S. As of about 1700 UTC yesterday, I'm seeing significant volume of zipped macro-encrusted "doc" files.
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 17:11 schrieb Rick Macdougall: On 2016-05-20 11:00 AM, Reindl Harald wrote: Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz Inbound servers, 6 of them. We are an ISP with 10s of thousands accounts, plus content filtering for many other commercial domains well, the domain in the last flood had 12 accounts the point is that valid accounts, even freemail can't spread that amout of spam and all the bots are listed on enough blacklists to make a foolproof score-based reject while most of them anyways not surivive pregreet-tests and the rest just hangs up after 10-11 seconds and don't surivive "postscreen_greet_wait = ${stress?2}${stress:12}s" which means a client ip has to wait once a week here 12 seconds to make it to smtpd that all plays far far away from content-scanning and between that and the content-scanners are conditional greylistings, honeypot-backup-mx always responding with 450 and helo/ptr-checks combined with a spf-policyd the comes spamassassin rejecting the surviving piece mostly if it contains malware or not and at the very end of the chain comes clamav-milter facing mostly ham and very few real remaining junk/malware signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On 2016-05-20 11:00 AM, Reindl Harald wrote: Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attaempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz Hi, Inbound servers, 6 of them. We are an ISP with 10s of thousands accounts, plus content filtering for many other commercial domains. Regards, Rick
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 15:00:55 + David Joneswrote: > >From: Dianne Skoll > >ClamAV is basically useless. > ClamAV helps a little with the unofficial sigatures. The operative word here is "a little". I find that the unofficial signatures that are good at actually catching bad stuff have extremely high FP rates, while the less-aggressive unofficial signatures don't catch that much. > The best thing to do is block as much as you can at the MTA > level with Postscreen and RBL weights like Reindl posted, > greylisting, SMTP helo checks, etc. That's a fine solution for spam, but not for malware that can end up costing you or your customer huge amounts of money. You absolutely must use a content-scanning technique to block the malware, though of course the comparatively-cheap up-front tests can reduce the flow substantially. Regards, Dianne.
Re: SA cannot block messages with attached zip
>From: Dianne Skoll <d...@roaringpenguin.com> >Sent: Friday, May 20, 2016 6:07 AM >To: users@spamassassin.apache.org >Subject: Re: SA cannot block messages with attached zip >On Fri, 20 May 2016 09:31:48 +0300 >Emin Akbulut <eminakbu...@gmail.com> wrote: >> What do you suggest to fight these spams? >ClamAV is basically useless. ClamAV helps a little with the unofficial sigatures. http://sanesecurity.com/usage/signatures/ >We do it the hard way. We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the >latest crop of cryptolocker-style attacks. >Sorry for the non-easy answer. Doing it properly requires a non-trivial >amount of coding. MailScanner can do this. https://efa-project.org/ The best thing to do is block as much as you can at the MTA level with Postscreen and RBL weights like Reindl posted, greylisting, SMTP helo checks, etc. http://multirbl.valli.org/lookup/213.252.170.66.html The invaluement RBL subscription is not that expensive and will pay for itself pretty quickly. This and Spamhaus together block a lot of bad stuff at the MTA level long before SA has to see it and I have never had to deal with a false positive on these in years.
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attaempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] Top 10 Viruses in the last 24 hours Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860 Sanesecurity.Junk.52698.UNOFFICIAL 2798 Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925 Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626 Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649 Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623 Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414 winnow.spam.ts.xmailer.2.UNOFFICIAL 341 Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283 Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157 Regards, Rick
Re: SA cannot block messages with attached zip
Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ -- Paul Stead Systems Engineer Zen Internet
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 16:20 schrieb Kris Deugau: Emin Akbulut wrote: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? I've had some luck doing that, but it takes a while make 10 copies of such a message and change date/message-id header in fact we have a "spamfilter-retrain /path/to/sample.eml" which creates 5 copies per call in the corpus folder and when something i train not get's BAYES_99 it's called as long as it hits BAYES_99 (except rare caeses which you need to ignore and can't tran that way) why should i wait until i get the same crap 10 times fro outside? signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
Emin Akbulut wrote: > I tried to train SA with tons of spam messages which contains zip file > (includes .js) > The max spam score was lesser than 5 so I did set 4 to delete messsages. > > Then same kind of spam messages appear with the score of lesser than 2. > > In short; training the SA seems not helpful. > > What do you suggest to fight these spams? I've had some luck doing that, but it takes a while. I've also added some rules that should match on most of these messages: mimeheader __ZIP_ATTACH_1 Content-Type =~ m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"} mimeheader __ZIP_ATTACH_2 content-type =~ m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"} metaZIP_ATTACH __ZIP_ATTACH_1 || __ZIP_ATTACH_2 describe ZIP_ATTACH Has .zip attachment score ZIP_ATTACH 0.001 (Note the different case for "Content-Type"; I found both were needed.) -kgd
Re: SA cannot block messages with attached zip
I hitched a ride in this thread and I appreciate the tip of the foxhole and clamav! I was also having problems here! solved now. On 20-05-2016 09:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ -- Rejaine da Silveira Monteiro Suporte-TI Tel: (31) 2102-8854 reja...@bhz.jamef.com.br www.jamef.com.br
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulutwrote: > What do you suggest to fight these spams? ClamAV is basically useless. We do it the hard way. We list the contents of attached archives (using "lsar") and have filename-extension rules that block .js inside .zip files. While this can lead to some FPs, which we handle with selective whitelisting, it's very effective at catching the latest crop of cryptolocker-style attacks. Sorry for the non-easy answer. Doing it properly requires a non-trivial amount of coding. Regards, Dianne.
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 11:40 schrieb @lbutlr: On May 20, 2016, at 2:46 AM, Reindl Haraldwrote: postscreen_dnsbl_action = enforce postscreen_greet_action = enforce [long list] What do you set postscreen_dnsbl_threshold to? 8 signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On May 20, 2016, at 2:46 AM, Reindl Haraldwrote: > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce [long list] What do you set postscreen_dnsbl_threshold to? -- "Give a man a fire and he's warm for a day, but set fire to him an he's warm for the rest of his life."
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 10:32 schrieb Reindl Harald: Am 20.05.2016 um 08:31 schrieb Emin Akbulut: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? Raw message: http://pastebin.com/gPREh54L just get a proper clamav setup the real good question is why the hell that message does not get bayes classified at all here when pipe your download through spamc/spmad while other messages are also a good question is why your header don't contain a single DNSBL and if that happens all the time - without blacklists you have no good chances for proper reject (for the trolls - YES a FULL SETUP rejects) many junk well, and another good question is why a mail listed on so many blacklists makes it to your contenfilter at all get a proper MTA setup (containing a local dns-resolver doing recursion and NOT forwarding) and your inbound MX runs with zero load most of the time, facing a spam attack the last two days on a domain previously had 1 valid rcpt triggering 150 rejects per minute and much more not pass the 12 sconds pregreet-phase, 100 Mhz loda on the VM running postfix/spamassassin/clamav hust because nothing of this crap makes it to a smtpd proess postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*7 dnsbl.inps.de=127.0.0.2*7 dnsbl.sorbs.net=127.0.0.7*4 hostkarma.junkemailfilter.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 bl.spamcannibal.org=127.0.0.2*3 zen.spamhaus.org=127.0.0.2*3 score.senderscore.com=127.0.4.[0..20]*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-1.uceprotect.net=127.0.0.2*2 all.spamrats.com=127.0.0.38*2 bl.nszones.com=127.0.0.[2;3]*1 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 score.senderscore.com=127.0.4.[0..69]*1 dnsbl.sorbs.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.1.2*1 dnsbl.sorbs.net=127.0.0.15*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 _ /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.005 sec (0 m 0 s) Content analysis details: (37.6 points, 5.5 required) pts rule name description -- -- 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net) [213.252.170.66 listed in dnsbl.sorbs.net] 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net (virus.dnsbl.sorbs.net) 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net) 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net (ips.backscatterer.org) [213.252.170.66 listed in dnsbl-backscatterer.thelounge.net] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [213.252.170.66 listed in hostkarma.junkemailfilter.com] 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net (dnsbl-1.uceprotect.net) [213.252.170.66 listed in dnsbl-uce.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [213.252.170.66 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [213.252.170.66 listed in bl.spamcop.net] 3.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [213.252.170.66 listed in
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 08:31 schrieb Emin Akbulut: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? Raw message: http://pastebin.com/gPREh54L just get a proper clamav setup the real good question is why the hell that message does not get bayes classified at all here when pipe your download through spamc/spmad while other messages are also a good question is why your header don't contain a single DNSBL and if that happens all the time - without blacklists you have no good chances for proper reject (for the trolls - YES a FULL SETUP rejects) many junk X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 _ /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.005 sec (0 m 0 s) Content analysis details: (37.6 points, 5.5 required) pts rule name description -- -- 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net) [213.252.170.66 listed in dnsbl.sorbs.net] 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net (virus.dnsbl.sorbs.net) 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net) 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net (ips.backscatterer.org) [213.252.170.66 listed in dnsbl-backscatterer.thelounge.net] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [213.252.170.66 listed in hostkarma.junkemailfilter.com] 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net (dnsbl-1.uceprotect.net) [213.252.170.66 listed in dnsbl-uce.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [213.252.170.66 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [213.252.170.66 listed in bl.spamcop.net] 3.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [213.252.170.66 listed in bl.mailspike.net] 5.5 CUST_DNSBL_6_ZEN_XBL RBL: zen.spamhaus.org (xbl.spamhaus.org) [213.252.170.66 listed in zen.spamhaus.org] 1.5 CUST_DNSBL_19_SENDERSC_HIGH RBL: score.senderscore.com (senderscore.com High) [213.252.170.66 listed in score.senderscore.com] 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com (senderscore.com Medium) 5.0 CUST_DNSBL_7_CUDA RBL: b.barracudacentral.org [213.252.170.66 listed in b.barracudacentral.org] 2.5 CUST_DNSBL_13_SEM RBL: bl.spameatingmonkey.net [213.252.170.66 listed in bl.spameatingmonkey.net] 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.5 HELO_MISC_IP Looking for more Dynamic IP Relays signature.asc Description: OpenPGP digital signature
SA cannot block messages with attached zip
I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? Raw message: http://pastebin.com/gPREh54L Preview: Hello abdurrahim.ersoz, > > > > > > Please find enclosed invoice no. 316855 > > > > Thank you for your order. > > We look forward to doing business with you again. > > > > > > Regards, > > Marcus Love > > StarTek, Inc. >