Re: SA cannot block messages with attached zip

2016-07-13 Thread John Hardin 

On Wed, 13 Jul 2016, Chip M. wrote:


P.P.S.  Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?


That's very likely an attempt to bypass "double-extension" filter checks 
that expect the first extension to actually be present (e.g. something 
like /\.[a-z]{1,3}\.wsf$/ ).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 3 days until the 71st anniversary of the dawn of the Atomic Age

Re: SA cannot block messages with attached zip

2016-07-13 Thread Chip M. 
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa

Alex, thanks for the spample! :)
I've seen a steady trickle of those, since late April.

That file attachment is actually the way-kewl "Office Open XML"
format, with an embedded VBA binary file, just like last week's
main vector for "Zepto" (a new ransomware morph), except those
used the (more correct) file extension ".docm".

The way-kewl thing about this file format is that they're
completely standard zip files, containing a mix of other mostly
standard files (e.g. XML, JPEGs).  In general, they're very easy
to parse (no obscure Microsoft OLE/etc in the main files).
The VBA is always in a file named "vbaproject.bin".

Since filenames in zip files are stored unaltered, it's just a
matter of de-MIME-ing the file, and scanning for the filename.
You do _NOT_ have to parse the zip file, just look for that one
simple string. :)
(Pedantic note:  Technically, there's another file named
"vbaProject.bin.rels" which is a plain text XML file.
Theoretically, you may want to exclude it, but practically, I
wouldn't bother - it seems to always occur with the binary ".bin"
file, so just nuke/quarantine them all.)

A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I got fed up with all the Spammer Stupid Part Tricks, and it's
blindingly fast to check the prefix. :)
- "Chip"

P.S.  Thanks everyone for the followups on how Foxhole handles
stuff. :)

P.P.S.  Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?

Re: SA cannot block messages with attached zip

2016-06-08 Thread Benny Pedersen 

On 2016-06-08 23:23, Alex wrote:


http://pastebin.com/ALsSAmwa


this sample can be reported to dnswl

Re: SA cannot block messages with attached zip

2016-06-08 Thread Alex 
Meanwhile, there is RTF spam that's circulating which is currently
bypassing the sanesecurity sigs. I've just submitted a sample to
Steve, but the db hasn't yet been updated. Here's a sample:

http://pastebin.com/ALsSAmwa

The pattern to temporarily stop them involves a meta with
__DOC_ATTACH_MT and some body rules. Other ideas welcome.


On Wed, Jun 8, 2016 at 5:08 PM, Paul Stead  wrote:
>
>
> On 08/06/16 21:39, Paul Stead wrote:
>
>
>
> BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*
>
>
> Should point out that this may be prone to false positives. The Sane sigs
> are scored low, med, high FP risk and can be installed as such.
> --
> Paul Stead
> Systems Engineer
> Zen Internet

Re: SA cannot block messages with attached zip

2016-06-08 Thread Paul Stead 



On 08/06/16 21:39, Paul Stead wrote:


BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*

Should point out that this may be prone to false positives. The Sane sigs are 
scored low, med, high FP risk and can be installed as such.
--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

2016-06-08 Thread Paul Stead 


On 08/06/16 20:59, Chip M. wrote:
I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_ 
block on ".js" file extension, whereas you/Dianne do:
More relevant for the ClamAV/Sanesecurity list, hope this isn't looked down 
upon.

I'm not sure if Steve is on the list but I'll do my best to answer.
"This database will block most JavaScript (.js) files within within Zip, Rar files" ... "To 
help minimise false positives, this database will only scan small sized Zip and Rar files." *** 
Questions: *1. Could someone clarify whether Foxhole is using some sort of signatures on ".js" 
files?
"The three new foxhole databases use the .cdb extension which uses the ClamAV engine 
to look inside certain container/archive files for various filenames/extensions and 
perform Regular Expressions, on those filenames/extensions."

Here's one example rule from foxhole_js.cdb

---8<---
Sanesecurity.Foxhole.JS_Zip_1:CL_TYPE_ZIP:*:\.([Jj][Ss])$:0-512000:*:0:1:*:*
---8<---

cdb files have the following format:

VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]

You could adjust rules if needed. Steve is also very helpful and responsive.

*2. How did Foxhole perform on the recent campaign with duplicate large zipped 
js files (e.g. 5 files of 236 kilobytes each)? There was also a campaign with a 
single large file (e.g. 604 kilobytes), with most of the payload at the end. I 
suspect both campaigns were attempts to bypass sig based scanners.

The js detection was recently upped from 256 kilobytes based on list feedback - as you 
see the 512 kilobytes it is currently at is the FileSizeInContainer - "usually 
compressed size".

I have had a very positive experience with these signatures over all

I'm with Dianne on outright blocking js files, AND making highly selective 
holes for specific sender/recipient pairs.

We can block any JS file with Zips, 7zip, rar, arj, cab...

Foxhole.ZIP.JS:CL_TYPE_ZIP:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.7Z.JS:CL_TYPE_7Z:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.RAR.JS:CL_TYPE_RAR:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.ARJ.JS:CL_TYPE_ARJ:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.CAB.JS:CL_TYPE_CAB:*:\.[Jj][Ss]$:*:*:*:*:*:*

ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ,
CL_TYPE_MSCAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container
types listed here

or...

BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*

*3. Is the list of file extensions on the Foxhole page complete? 
http://sanesecurity.com/foxhole-databases/ The page is missing the following 
(and perhaps others): .acm .ax .dll .drv .efi .mui .ocx .tsp I verified that 
all of those actually occur and are executable on a Windows7 machine.

Those extensions aren't listed within the Foxhole databases, I'll feed this 
back via their mailing list - might be worth popping along?

I recently added the MagicNumber for "old" style doc files, just for files 
inside zips (when they appeared, as mentioned in my previous post).

This could be accomplished with yara rules within ClamAV too - docs on 
signature creation can be found here 
https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf


Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

2016-06-08 Thread jimimaseye 
If you think the foxhole databases are not sufficient enough and that other
extensions are required, then contact Steve @ Sane to discuss/request:
http://sanesecurity.com/contact-us/.  I speak to him regularly and is open
to feedback.

Chip M. wrote
> At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
> 
> *3. Is the list of file extensions on the Foxhole page complete?
>   http://sanesecurity.com/foxhole-databases/
> The page is missing the following (and perhaps others):
>   .acm
>   .ax
>   .dll
>   .drv
>   .efi
>   .mui
>   .ocx
>   .tsp
> I verified that all of those actually occur and are executable
> on a Windows7 machine.





--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/SA-cannot-block-messages-with-attached-zip-tp120785p121205.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: SA cannot block messages with attached zip

2016-06-08 Thread Chip M. 
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives 
>(using "lsar") and have filename-extension rules that block .js 
>inside .zip files. While this can lead to some FPs, which we handle 
>with selective whitelisting, it's very effective at catching the 
>latest crop of cryptolocker-style attacks.

I was looking more closely at the Foxhole page, and it SOUNDS
(to me) like they do _NOT_ block on ".js" file extension,
whereas you/Dianne do:

"This database will block most JavaScript (.js) files within within Zip, Rar 
files"
...
"To help minimise false positives, this database will only scan small sized Zip 
and Rar files."

*** Questions:
*1. Could someone clarify whether Foxhole is using some sort of
signatures on ".js" files?

*2. How did Foxhole perform on the recent campaign with duplicate
large zipped js files (e.g. 5 files of 236 kilobytes each)?
There was also a campaign with a single large file (e.g. 604
kilobytes), with most of the payload at the end.  I suspect both
campaigns were attempts to bypass sig based scanners.

I'm with Dianne on outright blocking js files, AND making highly
selective holes for specific sender/recipient pairs.
I protect a few thousand accounts and we only have a handful of
those holes, all for web designers.
"Aim small, miss small" :)

In my previous post, I mentioned "secret sauce" code to detect
javascript obfuscations.  That's a backup in case netscum figure
out a way to use a non obvious file extension.  FIRST, I do all
the quick tests (file extensions, etc), then, if there's enough
time, the slower/memory-heavy tests.  The recent large js file
campaigns took significantly longer (1/2 to 1 second) to do my
extra tests, but still hit all my tests. :)


*3. Is the list of file extensions on the Foxhole page complete?
http://sanesecurity.com/foxhole-databases/
The page is missing the following (and perhaps others):
.acm
.ax
.dll
.drv
.efi
.mui
.ocx
.tsp
I verified that all of those actually occur and are executable
on a Windows7 machine.


I have seen, in the wild (about a year or so ago), malware email
that instructed the target to rename the attached file. :(
Long before that, I had added code to decompress just the first
few bytes of each zipped file, and check for executable
MagicNumbers (e.g. Windows' "MZ").  I also check all MIME parts
(I have a very speedy "MIME Prefix" test).

I recently added the MagicNumber for "old" style doc files, just
for files inside zips (when they appeared, as mentioned in my
previous post).  That does have a higher FP risk, since it's
reasonable to zip huge doc files, however in practice they're
rare, and I have an excellent Quarantine/FP pipeline.

A friend sent me this cool MagicNumber look up site:
filesignatures.net
Any other suggestions for file types to add?
- "Chip"

Re: SA cannot block messages with attached zip

2016-05-24 Thread Emin Akbulut 
I've switched from AVG File Server to ClamWin + Sanesecurity, Now It seems
ok,
I have to examine for false negatives, maybe I need to exclude some
signatures.

Here are the results for 9 hours of Sanesecurity:
Passed msg: 912
Viruses detected: 446
Spam msg: 5523

AVG File Server was really really bad, it has detected less than 10 viruses
per day.




On Mon, May 23, 2016 at 7:29 PM, Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 21 May 2016, at 12:31, Dianne Skoll wrote:
>
> On Sat, 21 May 2016 12:28:48 -0400
>> "Bill Cole"  wrote:
>>
>> On 20 May 2016, at 7:07, Dianne Skoll wrote:
>>>
>>
>> Sorry for the non-easy answer.  Doing it properly requires a
 non-trivial amount of coding.

>>>
>> I do not recall doing any real coding at all to get a steady trickle
>>> of log messages like this (regarding mail NOT from Amazon):
>>>
>>
>> May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV:
>>> MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad
>>> Filename,ORDER-067-8958800-7459411.zip,application/zip,<
>>> auto-shipp...@amazon.com>,,Your
>>> Amazon.co.uk order has dispatched (#067-8958800-7459411)
>>>
>>
>> Well, yes, if it's feasible to block all zip files, then it is
>> trivial.  However, that's not an option for us. :)
>>
>
> Well, that particular system is one where I have extraordinary powers of
> persuasion over all of the handful of users, but elsewhere where my
> authority is less absolute I've found that providing easily used
> alternative means of receiving files more safely makes it easier to crank
> down on email constraints that paying customers would otherwise not
> tolerate. One wave of mail-borne ransomware can be a persuasive experience
> as well for customers who are reluctant to ask senders to do anything
> "special" to send them files of suspect types, although obviously that's a
> somewhat random event.
>

Re: SA cannot block messages with attached zip

2016-05-23 Thread Bill Cole 

On 21 May 2016, at 12:31, Dianne Skoll wrote:


On Sat, 21 May 2016 12:28:48 -0400
"Bill Cole"  wrote:


On 20 May 2016, at 7:07, Dianne Skoll wrote:



Sorry for the non-easy answer.  Doing it properly requires a
non-trivial amount of coding.



I do not recall doing any real coding at all to get a steady trickle
of log messages like this (regarding mail NOT from Amazon):



May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV:
MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad
Filename,ORDER-067-8958800-7459411.zip,application/zip,,,Your
Amazon.co.uk order has dispatched (#067-8958800-7459411)


Well, yes, if it's feasible to block all zip files, then it is
trivial.  However, that's not an option for us. :)


Well, that particular system is one where I have extraordinary powers of 
persuasion over all of the handful of users, but elsewhere where my 
authority is less absolute I've found that providing easily used 
alternative means of receiving files more safely makes it easier to 
crank down on email constraints that paying customers would otherwise 
not tolerate. One wave of mail-borne ransomware can be a persuasive 
experience as well for customers who are reluctant to ask senders to do 
anything "special" to send them files of suspect types, although 
obviously that's a somewhat random event.

Re: SA cannot block messages with attached zip

2016-05-23 Thread Reindl Harald 


and BTW a mail from a machine listed at "pbl.spamhaus.org" 
(https://www.spamhaus.org/pbl/) should not make it to your content 
filters at all - so it appears that most people in this thread which 
face a high number of this problems don't setup their MTA proper


no way that the sample mail makes it to smtpd at all normally

Am 23.05.2016 um 15:28 schrieb Reindl Harald:

Am 23.05.2016 um 15:24 schrieb Emin Akbulut:

AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.

My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.

In the message with Zip attachment includes javascipt files contains no
url in the body, so SURBL check is useless.
The Spamassassin score of these messages may vary, from 0.8 to 2.6.

Here is one of the latest message: http://pastebin.com/94njV9fF


easy to catch as already explained

/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_fs225.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.006 sec (0 m 0 s)

Content analysis details:   (33.5 points, 5.5 required)

 pts rule name  description
 --
--
 1.0 CUST_DNSBL_27_UCE2 RBL: dnsbl-uce-2.thelounge.net
(dnsbl-2.uceprotect.net)
[27.67.28.43 listed in
dnsbl-uce-2.thelounge.net]
 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
   [27.67.28.43 listed in
dnsbl-surriel.thelounge.net]
 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[27.67.28.43 listed in bl.spamcop.net]
 1.0 CUST_DNSBL_26_NSZONES  RBL: bl.nszones.com
[27.67.28.43 listed in bl.nszones.com]
 6.5 CUST_DNSBL_4_ZEN_PBL   RBL: zen.spamhaus.org (pbl.spamhaus.org)
[27.67.28.43 listed in zen.spamhaus.org]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
(senderscore.com Medium)
[27.67.28.43 listed in score.senderscore.com]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
 [27.67.28.43 listed in
hostkarma.junkemailfilter.com]
 5.0 CUST_DNSBL_7_CUDA  RBL: b.barracudacentral.org
[27.67.28.43 listed in b.barracudacentral.org]
 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5086]
 2.5 RDNS_NONE  Delivered to internal network by a host with
no rDNS
 0.0 RCVD_IN_MSPIKE_BL  Mailspike blacklisted
 0.5 RCVD_IN_MSPIKE_ZBI No description available.
 0.5 HELO_MISC_IP   Looking for more Dynamic IP Relays




signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-23 Thread Reindl Harald 



Am 23.05.2016 um 15:24 schrieb Emin Akbulut:

AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.

My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.

In the message with Zip attachment includes javascipt files contains no
url in the body, so SURBL check is useless.
The Spamassassin score of these messages may vary, from 0.8 to 2.6.

Here is one of the latest message: http://pastebin.com/94njV9fF


easy to catch as already explained

/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: 
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: 
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: 
Sanesecurity.Foxhole.Zip_fs225.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml: 
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND


--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.006 sec (0 m 0 s)

Content analysis details:   (33.5 points, 5.5 required)

 pts rule name  description
 -- 
--

 1.0 CUST_DNSBL_27_UCE2 RBL: dnsbl-uce-2.thelounge.net
(dnsbl-2.uceprotect.net)
[27.67.28.43 listed in 
dnsbl-uce-2.thelounge.net]

 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
   [27.67.28.43 listed in 
dnsbl-surriel.thelounge.net]

 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[27.67.28.43 listed in bl.spamcop.net]
 1.0 CUST_DNSBL_26_NSZONES  RBL: bl.nszones.com
[27.67.28.43 listed in bl.nszones.com]
 6.5 CUST_DNSBL_4_ZEN_PBL   RBL: zen.spamhaus.org (pbl.spamhaus.org)
[27.67.28.43 listed in zen.spamhaus.org]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
(senderscore.com Medium)
[27.67.28.43 listed in score.senderscore.com]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
 [27.67.28.43 listed in 
hostkarma.junkemailfilter.com]

 5.0 CUST_DNSBL_7_CUDA  RBL: b.barracudacentral.org
[27.67.28.43 listed in b.barracudacentral.org]
 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5086]
 2.5 RDNS_NONE  Delivered to internal network by a host 
with no rDNS

 0.0 RCVD_IN_MSPIKE_BL  Mailspike blacklisted
 0.5 RCVD_IN_MSPIKE_ZBI No description available.
 0.5 HELO_MISC_IP   Looking for more Dynamic IP Relays



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-23 Thread Emin Akbulut 
AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.

My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.

In the message with Zip attachment includes javascipt files contains no url
in the body, so SURBL check is useless.
The Spamassassin score of these messages may vary, from 0.8 to 2.6.

Here is one of the latest message: http://pastebin.com/94njV9fF

I've installed fresh new SpamAssassin for Windows v3.4.1 and trained for a
week
and cut many of the spam messages we receive. Except these zipped js
attachments.

My local.cf is: http://pastebin.com/VG3fhFBg

My commandline is:  spamd.exe -A 127.0.0.1,192.168.35.0/24 -i
--max-spare=16







On Mon, May 23, 2016 at 11:05 AM, Paul Stead 
wrote:

>
> On 22/05/16 02:10, @lbutlr wrote:
>
>
> Sure, there are 4 foxhole ones, but there are dozens on the main page
> there.
>
> The following code allows for easy config and download of the signatures
> you want.
>
> https://github.com/extremeshok/clamav-unofficial-sigs
>
> By default this will download and test the low risk signatures - do take
> some time to read through the different rule types though.
>
> Paul
>
> --
> *Paul Stead*
> Systems Engineer
> *Zen Internet*
>

Re: SA cannot block messages with attached zip

2016-05-23 Thread Paul Stead 


On 22/05/16 02:10, @lbutlr wrote:

Sure, there are 4 foxhole ones, but there are dozens on the main page there.

The following code allows for easy config and download of the signatures you 
want.

https://github.com/extremeshok/clamav-unofficial-sigs

By default this will download and test the low risk signatures - do take some 
time to read through the different rule types though.

Paul

--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

2016-05-21 Thread @lbutlr 
On May 21, 2016, at 1:18 PM, Reindl Harald  wrote:
> Am 21.05.2016 um 21:16 schrieb @lbutlr:
>> On May 20, 2016, at 6:11 AM, Reindl Harald  wrote:
>>> no it is not, look at the sanesecurity foxhole signatures
>>> http://sanesecurity.com/usage/signatures/
>> 
>> I have looked at those, but there are so many it’s kind of overwhelming on 
>> where to start
> 
> 4 is many and overwhelming?
> 
> foxhole_generic.cdb   See Foxhole page for more details   Low
> foxhole_filename.cdb  See Foxhole page for more details   Low
> foxhole_js.cdbSee Foxhole page for more details   
> Med
> foxhole_all.cdb   See Foxhole page for more details   High
> 
> http://sanesecurity.com/foxhole-databases/

Sure, there are 4 foxhole ones, but there are dozens on the main page there.


--

Re: SA cannot block messages with attached zip

2016-05-21 Thread Reindl Harald 



Am 21.05.2016 um 21:16 schrieb @lbutlr:

On May 20, 2016, at 6:11 AM, Reindl Harald  wrote:

no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


I have looked at those, but there are so many it’s kind of overwhelming on 
where to start


4 is many and overwhelming?

foxhole_generic.cdb See Foxhole page for more details   Low
foxhole_filename.cdbSee Foxhole page for more details   Low
foxhole_js.cdb  See Foxhole page for more details   
Med
foxhole_all.cdb See Foxhole page for more details   High

http://sanesecurity.com/foxhole-databases/



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-21 Thread @lbutlr 
On May 20, 2016, at 6:11 AM, Reindl Harald  wrote:
> no it is not, look at the sanesecurity foxhole signatures
> http://sanesecurity.com/usage/signatures/

I have looked at those, but there are so many it’s kind of overwhelming on 
where to start.

-- 
NO. I CANNOT BE BIDDEN. I CANNOT BE FORCED. I WILL DO ONLY THAT WHICH I
KNOW TO BE RIGHT. --Mort

Re: SA cannot block messages with attached zip

2016-05-21 Thread Dianne Skoll 
On Sat, 21 May 2016 12:28:48 -0400
"Bill Cole"  wrote:

> On 20 May 2016, at 7:07, Dianne Skoll wrote:

> > Sorry for the non-easy answer.  Doing it properly requires a
> > non-trivial amount of coding.

> I do not recall doing any real coding at all to get a steady trickle
> of log messages like this (regarding mail NOT from Amazon):

> May 4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV:
> MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad
> Filename,ORDER-067-8958800-7459411.zip,application/zip,,,Your
> Amazon.co.uk order has dispatched (#067-8958800-7459411)

Well, yes, if it's feasible to block all zip files, then it is
trivial.  However, that's not an option for us. :)

> THANK YOU VERY MUCH FOR MIMEDEFANG!

You're welcome!

Regards,

Dianne.

Re: SA cannot block messages with attached zip

2016-05-21 Thread Bill Cole 

On 20 May 2016, at 7:07, Dianne Skoll wrote:

Sorry for the non-easy answer.  Doing it properly requires a 
non-trivial

amount of coding.


I do not recall doing any real coding at all to get a steady trickle of 
log messages like this (regarding mail NOT from Amazon):


May  4 01:30:05 bigsky mimedefang.pl[43619]: 3r067J5jjjz1ZYGsV: 
MDLOG,3r067J5jjjz1ZYGsV,Reject: Bad 
Filename,ORDER-067-8958800-7459411.zip,application/zip,,,Your 
Amazon.co.uk order has dispatched (#067-8958800-7459411)


I mean, I get how YOU would consider that the result of a non-trivial 
amount of coding, but for me it's just an excuse to say:


THANK YOU VERY MUCH FOR MIMEDEFANG!

Re: SA cannot block messages with attached zip

2016-05-20 Thread Dianne Skoll 
On Fri, 20 May 2016 17:47:09 -0500 (CDT)
David B Funk  wrote:

> > We do it the hard way.  We list the contents of attached archives
> > (using "lsar") and have filename-extension rules that block .js
> > inside .zip files.  While this can lead to some FPs, which we handle
> > with selective whitelisting, it's very effective at catching the
> > latest crop of cryptolocker-style attacks.

> But isn't this exactly what the "foxhole_all.cdb"
> signatures do? (or am I missing something?).

Yes, mostly.  The advantage of lsar is that it can look inside all kinds
of weird archive formats (zip, zoo, rar, tar, tar.gz, etc.)  While most
malware uses zip, we've seen the occasional one using a different
container file format.

Regards,

Dianne.

Re: SA cannot block messages with attached zip

2016-05-20 Thread David B Funk 

On Fri, 20 May 2016, Dianne Skoll wrote:


On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless.

We do it the hard way.  We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files.  While this can lead to some FPs, which we handle
with selective whitelisting, it's very effective at catching the
latest crop of cryptolocker-style attacks.



But isn't this exactly what the "foxhole_all.cdb" 
(http://sanesecurity.com/foxhole-databases/) signatures do?

(or am I missing something?).

I see that they have a "high" risk of FPs but if you are using them as a 
scoring component within SA you should be able to "temper" those results

with other SA rules such as selective use of whitelist_auth.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: SA cannot block messages with attached zip

2016-05-20 Thread Vincent Fox 
+1

Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family.
They are #1 on our list about 50% of the time for weeks now.

I got a commendation last week for prevention work, so rare in email adminning.

Security team would be swimming in overtime if it weren't for
foxhole_js in particular.   We use all 4 of them now.

Foxhole_all hasn't been a FP problem for us either, despite
it being labelled high risk.  We had ONE professor who couldn't
email around some software, told them to use box.com instead
for sharing and problem solved.



From: Rick Macdougall <ri...@ummm-beer.com>
Sent: Friday, May 20, 2016 7:50:46 AM
To: users@spamassassin.apache.org
Subject: Re: SA cannot block messages with attached zip

On 2016-05-20 10:36 AM, Paul Stead wrote:
> Second, the foxhole_js database is what you're looking for
>
> Paul
>
> On 20/05/16 13:11, Reindl Harald wrote:
>>
>>
>> Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
>>> On Fri, 20 May 2016 09:31:48 +0300
>>> Emin Akbulut <eminakbu...@gmail.com> wrote:
>>>
>>>> What do you suggest to fight these spams?
>>>
>>> ClamAV is basically useless
>>
>> no it is not, look at the sanesecurity foxhole signatures
>> http://sanesecurity.com/usage/signatures/

Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]

Top 10 Viruses in the last 24 hours

Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860
Sanesecurity.Junk.52698.UNOFFICIAL 2798
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925
Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626
Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649
Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623
Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414
winnow.spam.ts.xmailer.2.UNOFFICIAL 341
Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283
Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157

Regards,

Rick

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 17:29 schrieb Chip M.:

P.S.  As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files


/etc/clamd.d/scan.conf:
ScanOLE2 yes
OLE2BlockMacros yes





signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread Chip M. 
At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js 
>inside .zip files.

+1

We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".jse" in the wild (low volume).

*** Question:
Are there any other Windows (or Mac) scripting file extensions?


As an extra layer of defense, We also do content scanning within
all zipped files for terms including (among MANY others):
activexobject
base64_decode
createobject
eval
fromcharcode
savetofile
shell
unescape
wscript
All hits are weighted, and some can be skip-listed.
 
Plus I recently wrote some "secret sauce" Code that looks for
javascript obfuscations. :)


We've had a very low FP rate on the above, and haven't had any
noticeable user pushback.  There have been enough high profile
infections (at least two hospitals), that most endusers have
been grateful and understanding.


>Doing it properly requires a non-trivial amount of coding.

Yes, however it's VERY satisfying Coding. :)
- "Chip"

P.S.  As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files.

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 17:11 schrieb Rick Macdougall:

On 2016-05-20 11:00 AM, Reindl Harald wrote:


Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attempts which is 10 time
higher than on normal days and nothing measurable made it to smtpd, not
talking about contentfilters at all

hence the virtual machine running the inbound MX still on 100-250 MHz



Inbound servers, 6 of them.  We are an ISP with 10s of thousands
accounts, plus content filtering for many other commercial domains


well, the domain in the last flood had 12 accounts

the point is that valid accounts, even freemail can't spread that amout 
of spam and all the bots are listed on enough blacklists to make a 
foolproof score-based reject while most of them anyways not surivive 
pregreet-tests and the rest just hangs up after 10-11 seconds and don't 
surivive "postscreen_greet_wait = ${stress?2}${stress:12}s" which means 
a client ip has to wait once a week here 12 seconds to make it to smtpd


that all plays far far away from content-scanning and between that and 
the content-scanners are conditional greylistings, honeypot-backup-mx 
always responding with 450 and helo/ptr-checks combined with a spf-policyd


the comes spamassassin rejecting the surviving piece mostly if it 
contains malware or not and at the very end of the chain comes 
clamav-milter facing mostly ham and very few real remaining junk/malware






signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread Rick Macdougall 

On 2016-05-20 11:00 AM, Reindl Harald wrote:



Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attaempts which is 10 time
higher than on normal days and nothing measurable made it to smtpd, not
talking about contentfilters at all

hence the virtual machine running the inbound MX still on 100-250 MHz



Hi,

Inbound servers, 6 of them.  We are an ISP with 10s of thousands 
accounts, plus content filtering for many other commercial domains.


Regards,

Rick

Re: SA cannot block messages with attached zip

2016-05-20 Thread Dianne Skoll 
On Fri, 20 May 2016 15:00:55 +
David Jones  wrote:

> >From: Dianne Skoll 
> >ClamAV is basically useless.
> ClamAV helps a little with the unofficial sigatures.

The operative word here is "a little".

I find that the unofficial signatures that are good at actually catching
bad stuff have extremely high FP rates, while the less-aggressive unofficial
signatures don't catch that much.

> The best thing to do is block as much as you can at the MTA
> level with Postscreen and RBL weights like Reindl posted,
> greylisting,  SMTP helo checks, etc.

That's a fine solution for spam, but not for malware that can end up
costing you or your customer huge amounts of money.  You absolutely
must use a content-scanning technique to block the malware, though of
course the comparatively-cheap up-front tests can reduce the flow
substantially.

Regards,

Dianne.

Re: SA cannot block messages with attached zip

2016-05-20 Thread David Jones 
>From: Dianne Skoll <d...@roaringpenguin.com>
>Sent: Friday, May 20, 2016 6:07 AM
>To: users@spamassassin.apache.org
>Subject: Re: SA cannot block messages with attached zip

>On Fri, 20 May 2016 09:31:48 +0300
>Emin Akbulut <eminakbu...@gmail.com> wrote:

>> What do you suggest to fight these spams?

>ClamAV is basically useless.

ClamAV helps a little with the unofficial sigatures.
http://sanesecurity.com/usage/signatures/

>We do it the hard way.  We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files.  While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
>latest crop of cryptolocker-style attacks.

>Sorry for the non-easy answer.  Doing it properly requires a non-trivial
>amount of coding.

MailScanner can do this.  https://efa-project.org/

The best thing to do is block as much as you can at the MTA
level with Postscreen and RBL weights like Reindl posted,
greylisting,  SMTP helo checks, etc.

http://multirbl.valli.org/lookup/213.252.170.66.html

The invaluement RBL subscription is not that expensive
and will pay for itself pretty quickly.  This and Spamhaus
together block a lot of bad stuff at the MTA level long
before SA has to see it and I have never had to deal
with a false positive on these in years.

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 16:50 schrieb Rick Macdougall:

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]


how and why do get that much crap to that stage on the inbound server?

2 days ago we had a peak of 45 junk attaempts which is 10 time 
higher than on normal days and nothing measurable made it to smtpd, not 
talking about contentfilters at all


hence the virtual machine running the inbound MX still on 100-250 MHz



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread Rick Macdougall 

On 2016-05-20 10:36 AM, Paul Stead wrote:

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/


Thirded,

Statistics since: 19 April 2016 04:02:15

Total Viruses stopped: [ 271764 ]
Total Unique Viruses: [ 2242 ]
Viruses stopped in the last 24 hours: [ 20118 ]

Top 10 Viruses in the last 24 hours

Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860
Sanesecurity.Junk.52698.UNOFFICIAL 2798
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925
Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626
Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649
Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623
Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414
winnow.spam.ts.xmailer.2.UNOFFICIAL 341
Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283
Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157

Regards,

Rick

Re: SA cannot block messages with attached zip

2016-05-20 Thread Paul Stead 

Second, the foxhole_js database is what you're looking for

Paul

On 20/05/16 13:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 16:20 schrieb Kris Deugau:

Emin Akbulut wrote:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


I've had some luck doing that, but it takes a while


make 10 copies of such a message and change date/message-id header

in fact we have a "spamfilter-retrain /path/to/sample.eml" which creates 
5 copies per call in the corpus folder and when something i train not 
get's BAYES_99 it's called as long as it hits BAYES_99 (except rare 
caeses which you need to ignore and can't tran that way)


why should i wait until i get the same crap 10 times fro outside?



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread Kris Deugau 
Emin Akbulut wrote:
> I tried to train SA with tons of spam messages which contains zip file
> (includes .js)
> The max spam score was lesser than 5 so I did set 4 to delete messsages.
> 
> Then same kind of spam messages appear with the score of lesser than 2.
> 
> In short; training the SA seems not helpful.
> 
> What do you suggest to fight these spams?

I've had some luck doing that, but it takes a while.

I've also added some rules that should match on most of these messages:

mimeheader __ZIP_ATTACH_1   Content-Type =~
m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"}
mimeheader __ZIP_ATTACH_2   content-type =~
m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"}
metaZIP_ATTACH  __ZIP_ATTACH_1 || __ZIP_ATTACH_2
describe ZIP_ATTACH Has .zip attachment
score   ZIP_ATTACH  0.001

(Note the different case for "Content-Type";  I found both were needed.)

-kgd

Re: SA cannot block messages with attached zip

2016-05-20 Thread Rejaine Monteiro 
I hitched a ride in this thread and I appreciate the tip of the foxhole 
and clamav!

I was also having problems here! solved now.

On 20-05-2016 09:11, Reindl Harald wrote:



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





--
Rejaine da Silveira Monteiro
Suporte-TI
Tel: (31) 2102-8854
reja...@bhz.jamef.com.br
www.jamef.com.br

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 13:07 schrieb Dianne Skoll:

On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:


What do you suggest to fight these spams?


ClamAV is basically useless


no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/





signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread Dianne Skoll 
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut  wrote:

> What do you suggest to fight these spams?

ClamAV is basically useless.

We do it the hard way.  We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files.  While this can lead to some FPs, which we handle
with selective whitelisting, it's very effective at catching the
latest crop of cryptolocker-style attacks.

Sorry for the non-easy answer.  Doing it properly requires a non-trivial
amount of coding.

Regards,

Dianne.

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 11:40 schrieb @lbutlr:

On May 20, 2016, at 2:46 AM, Reindl Harald  wrote:

postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce


[long list]

What do you set postscreen_dnsbl_threshold to?


8



signature.asc
Description: OpenPGP digital signature

Re: SA cannot block messages with attached zip

2016-05-20 Thread @lbutlr 
On May 20, 2016, at 2:46 AM, Reindl Harald  wrote:
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce

[long list]

What do you set postscreen_dnsbl_threshold to?


-- 
"Give a man a fire and he's warm for a day, but set fire to him an he's
warm for the rest of his life."

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 10:32 schrieb Reindl Harald:

Am 20.05.2016 um 08:31 schrieb Emin Akbulut:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


just get a proper clamav setup

the real good question is why the hell that message does not get bayes
classified at all here when pipe your download through spamc/spmad while
other messages are

also a good question is why your header don't contain a single DNSBL and
if that happens all the time - without blacklists you have no good
chances for proper reject (for the trolls - YES a FULL SETUP rejects)
many junk


well, and another good question is why a mail listed on so many 
blacklists makes it to your contenfilter at all


get a proper MTA setup (containing a local dns-resolver doing recursion 
and NOT forwarding) and your inbound MX runs with zero load most of the 
time, facing a spam attack the last two days on a domain previously had 
1 valid rcpt triggering 150 rejects per minute and much more not 
pass the 12 sconds pregreet-phase, 100 Mhz loda on the VM running 
postfix/spamassassin/clamav hust because nothing of this crap makes it 
to a smtpd proess


postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*7
 dnsbl.inps.de=127.0.0.2*7
 dnsbl.sorbs.net=127.0.0.7*4
 hostkarma.junkemailfilter.com=127.0.0.2*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 ix.dnsbl.manitu.net=127.0.0.2*4
 psbl.surriel.com=127.0.0.2*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 bl.spamcannibal.org=127.0.0.2*3
 zen.spamhaus.org=127.0.0.2*3
 score.senderscore.com=127.0.4.[0..20]*3
 dnsbl.sorbs.net=127.0.0.6*3
 dnsbl.sorbs.net=127.0.0.8*2
 hostkarma.junkemailfilter.com=127.0.0.4*2
 dnsbl.sorbs.net=127.0.0.9*2
 dnsbl-1.uceprotect.net=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 bl.nszones.com=127.0.0.[2;3]*1
 dnsbl-2.uceprotect.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.4*1
 score.senderscore.com=127.0.4.[0..69]*1
 dnsbl.sorbs.net=127.0.0.3*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 dnsbl.sorbs.net=127.0.0.15*1
 ips.backscatterer.org=127.0.0.2*1
 bl.nszones.com=127.0.0.5*-1
 score.senderscore.com=127.0.4.[90..100]*-1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 ips.whitelisted.org=127.0.0.2*-2
 list.dnswl.org=127.0.[0..255].0*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5


X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE
autolearn=no autolearn_force=no version=3.4.1
_

/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND
/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.005 sec (0 m 0 s)
Content analysis details:   (37.6 points, 5.5 required)

 pts rule name  description
 --
--
 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net)
[213.252.170.66 listed in dnsbl.sorbs.net]
 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net
(virus.dnsbl.sorbs.net)
 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net)
 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net
(ips.backscatterer.org)
  [213.252.170.66 listed in
dnsbl-backscatterer.thelounge.net]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
  [213.252.170.66 listed in
hostkarma.junkemailfilter.com]
 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net
(dnsbl-1.uceprotect.net)
[213.252.170.66 listed in
dnsbl-uce.thelounge.net]
 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
[213.252.170.66 listed in
dnsbl-surriel.thelounge.net]
 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[213.252.170.66 listed in bl.spamcop.net]
 3.0 RCVD_IN_MSPIKE_L5  RBL: Very bad reputation (-5)
[213.252.170.66 listed in

Re: SA cannot block messages with attached zip

2016-05-20 Thread Reindl Harald 



Am 20.05.2016 um 08:31 schrieb Emin Akbulut:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


just get a proper clamav setup

the real good question is why the hell that message does not get bayes 
classified at all here when pipe your download through spamc/spmad while 
other messages are


also a good question is why your header don't contain a single DNSBL and 
if that happens all the time - without blacklists you have no good 
chances for proper reject (for the trolls - YES a FULL SETUP rejects) 
many junk


X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE 
autolearn=no autolearn_force=no version=3.4.1

_

/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: 
Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND
/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: 
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND


--- VIRUS-SCAN SUMMARY ---
Infected files: 1
Time: 0.005 sec (0 m 0 s)
Content analysis details:   (37.6 points, 5.5 required)

 pts rule name  description
 -- 
--

 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net)
[213.252.170.66 listed in dnsbl.sorbs.net]
 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net
(virus.dnsbl.sorbs.net)
 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net)
 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net
(ips.backscatterer.org)
  [213.252.170.66 listed in 
dnsbl-backscatterer.thelounge.net]

 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
  [213.252.170.66 listed in 
hostkarma.junkemailfilter.com]

 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net
(dnsbl-1.uceprotect.net)
[213.252.170.66 listed in 
dnsbl-uce.thelounge.net]

 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net
(psbl.surriel.com)
[213.252.170.66 listed in 
dnsbl-surriel.thelounge.net]

 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
[213.252.170.66 listed in bl.spamcop.net]
 3.0 RCVD_IN_MSPIKE_L5  RBL: Very bad reputation (-5)
[213.252.170.66 listed in bl.mailspike.net]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
[213.252.170.66 listed in zen.spamhaus.org]
 1.5 CUST_DNSBL_19_SENDERSC_HIGH RBL: score.senderscore.com
(senderscore.com High)
[213.252.170.66 listed in 
score.senderscore.com]

 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
(senderscore.com Medium)
 5.0 CUST_DNSBL_7_CUDA  RBL: b.barracudacentral.org
[213.252.170.66 listed in 
b.barracudacentral.org]

 2.5 CUST_DNSBL_13_SEM  RBL: bl.spameatingmonkey.net
[213.252.170.66 listed in 
bl.spameatingmonkey.net]
 2.5 RDNS_NONE  Delivered to internal network by a host 
with no rDNS

 0.0 RCVD_IN_MSPIKE_BL  Mailspike blacklisted
 0.5 HELO_MISC_IP   Looking for more Dynamic IP Relays



signature.asc
Description: OpenPGP digital signature

SA cannot block messages with attached zip

2016-05-20 Thread Emin Akbulut 
I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


Preview:

Hello abdurrahim.ersoz,
>
>
>
>
>
> Please find enclosed invoice no. 316855
>
>
>
> Thank you for your order.
>
> We look forward to doing business with you again.
>
>
>
>
>
> Regards,
>
> Marcus Love
>
> StarTek, Inc.
>