Re: Titter invite spam
--On Monday, June 22, 2009 5:59 PM -0700 John Hardin jhar...@impsec.org wrote: On Mon, 22 Jun 2009, Cerebus wrote: The zip file contains a file with the name: document.pdf .exe (note the long run of spaces) My security sanitizer would quarantine that. http://www.impsec.org/email-tools/procmail-security.html As would MIMEDefang. http://mimedefang.org/ The danger is for those users who have filter bypasses configured, as the spaces might make it hard to spot the extra extension. Also, Windows by default hides extensions so even without the spaces many would miss the .exe on the end. (Hiding extensions is one of the first things I disable on a new Windows installation. Alas, it's a PITA to make that a global inherited setting for new users.) OTOH, the next time you send a notice out to a mailing list and you want to guarantee that people read it, put it in an attachment named NakedPics.jpg.txt. (I also suggest renaming README files to PORN.)
Re: Titter invite spam
On Tue, 23 Jun 2009, Kenneth Porter wrote: --On Monday, June 22, 2009 5:59 PM -0700 John Hardin jhar...@impsec.org wrote: On Mon, 22 Jun 2009, Cerebus wrote: The zip file contains a file with the name: document.pdf .exe (note the long run of spaces) My security sanitizer would quarantine that. http://www.impsec.org/email-tools/procmail-security.html As would MIMEDefang. http://mimedefang.org/ The danger is for those users who have filter bypasses configured, as the spaces might make it hard to spot the extra extension. That's precisely why that particular name pattern is poisoned by default. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #12: Have a plan. USMC Rules of Gunfighting #13: Have a back-up plan, because the first one won't work. --- 11 days until the 233rd anniversary of the Declaration of Independence
Titter invite spam
Not sure if anyone else has seen this, but a 486KB zip file attached to a fake twitter email claiming: -- Q how do you titillate an ocelot? A you oscillate its tit a lot.
Titter invite spam
Not sure if anyone else has seen this, but a 486KB zip file (Total message of 664KB) attached to a fake twitter email claiming: Your friend invited you to twitter! Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing? To join or to see who invited you, check the attachment. The zip file contains a file with the name: document .pdf.exe (note the long run of spaces) Obviously, SA is not going to process these, so be aware that some of your dumber windows users are likely to be complaining about them soon. -- Q how do you titillate an ocelot? A you oscillate its tit a lot.
Titter invite spam
Not sure if anyone else has seen this, but a 486KB zip file (Total message of 664KB) attached to a fake twitter email claiming: Your friend invited you to twitter! Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing? To join or to see who invited you, check the attachment. The zip file contains a file with the name: document .pdf.exe (note the long run of spaces) Obviously, SA is not going to process these, so be aware that some of your dumber windows users are likely to be complaining about them soon. -- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief
Re: Titter invite spam
On Mon, 22 Jun 2009, Cerebus wrote: The zip file contains a file with the name: document.pdf .exe (note the long run of spaces) My security sanitizer would quarantine that. http://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 12 days until the 233rd anniversary of the Declaration of Independence
Re: Titter invite spam
On 22 Jun, 2009, at 17:45 , LuKreme wrote: Not sure if anyone else has seen this, but a 486KB zip file (Total message of 664KB) attached to a fake twitter email claiming: Erm.. sorry about the (sorta) triple post. I accidentally sent it while editing from my non-list account and assumed it would bounce since that user is not subscribed. -- I have a love child who sends me hate mail
Re: Titter invite spam
On 22 Jun, 2009, at 17:59 , John Hardin wrote: My security sanitizer would quarantine that. http://www.impsec.org/email-tools/procmail-security.html Yep, but not everyone runs (or can run) procmail. My post was intended more as a 'heads-up' than a 'how do I prevent this. I posted THAT message to the postfix list since I want to stop these messages before they are accepted. :) -- And, while it was regarded as pretty good evidence of criminality to be living in a slum, for some reason owning a whole street of them merely got you invited to the very best social occasions.
Re: Titter invite spam
On Mon, 22 Jun 2009, LuKreme wrote: Not sure if anyone else has seen this, but a 486KB zip file (Total message of 664KB) attached to a fake twitter email claiming: [,,] The zip file contains a file with the name: document .pdf.exe (note the long run of spaces) Obviously, SA is not going to process these, so be aware that some of your dumber windows users are likely to be complaining about them soon. Submit it to Clamav.net they can make/distribute a signature against it. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{