Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Maybe they are reading this thread and trying to patch their setup, and we are reading them while they do it. This is not exactly a post-mortem. Sent from ProtonMail Mobile On Wed, Nov 1, 2017 at 4:07 AM, Bill Cole wrote: > On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote: > Addenda: >

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017 at 8:38 PM, Alex wrote: > This will also hit undisc-recips mail, By local policy, we *reject* e-mail to undisclosed recipient, so this is not a problem for us. > bcc, As above, Bccs are rejected by local policy. Each e-mail must be explicitly addressed to us, and its ori

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On 31 Oct 2017, at 7:27 (-0400), David Gessel wrote: bayes_file_mode 0777 Don't do that. I know the SiteWideBayes page recommends that, but it's wrong. It's a bad idea to EVER make ANY file mode 0777 on any normal system. Something mangled your Bayes DB. Anything running on that system *cou

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote: Addenda: From: Invoicing unbound-host -rvD canadianchemistry.ca canadianchemistry.ca has address 168.144.155.97 (insecure) canadianchemistry.ca has no IPv6 address (insecure) canadianchemistry.ca mail is handled by 0 canadianchemis

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On 31.10.17 01:35, David Gessel wrote: amavisd-new-2.11.0_2,1 I'm finding the command /usr/local/bin/sa-learn --spam --showdots /mail/blackrosetech.com/gessel/.Junk/{cur,new} is taking a while to if you use amavis, you must train amavis' bayes database (/var/lib/amavis/.spamassassin/ here), no

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Hi, On Tue, Oct 31, 2017 at 6:49 AM, Rupert Gallagher wrote: > This is my reading of it. > > - You may have received an e-mail addressed to someone-else. > I do not know your setup, but this is what it looks like from my seat. > (Sent "To" @puffin.net, but "Received: from" futurequest.net.) > We

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017, David Jones wrote: >Add the Lashback RBL. I am trying to get this added to the default SA >rules. See my post on 2017-10-17 in the following link and increase the >scores after some testing. David, after your Lashback post, I had added it to my FP pipeline (i.e. run fro

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

yes, again Sent from ProtonMail Mobile On Tue, Oct 31, 2017 at 1:36 PM, David Jones wrote: >> On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote: >> Addenda: >> >> >> > From: Invoicing > > >> >> SPF should fail hard here. How do you know >> what the envelope-from domain is from that s

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote: Addenda: > From: Invoicing > SPF should fail hard here. How do you know what the envelope-from domain is from that sample? SPF uses the envelope-from not the From:

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

correct! Sent from ProtonMail Mobile On Tue, Oct 31, 2017 at 12:57 PM, Benny Pedersen wrote: > Rupert Gallagher skrev den 2017-10-31 12:00: >> From: Invoicing >> Received: > from not from Microsoft > SPF should fail hard here. from: header is not > envelope sender as spf is testing, so

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Rupert Gallagher skrev den 2017-10-31 12:00: From: Invoicing Received: from not from Microsoft SPF should fail hard here. from: header is not envelope sender as spf is testing, so that domain is only usable to test dkim if it was signed

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

Thank you very much for your help! A few answers inline. Original Message Subject: Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal? From: Matus UHLAR - fantomas To: users@spamassassin.apache.org Date: Tue Oct

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Addenda: > From: Invoicing >unbound-host -rvD canadianchemistry.ca canadianchemistry.ca has address 168.144.155.97 (insecure) canadianchemistry.ca has no IPv6 address (insecure) canadianchemistry.ca mail is handled by 0 canadianchemistry-ca.mail.protection.outlook.com. (insecure) > Received: f

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

This is my reading of it. - You may have received an e-mail addressed to someone-else. I do not know your setup, but this is what it looks like from my seat. (Sent "To" [@puffin.net](mailto:bait_sa_e3npnogbtq1d4...@puffin.net), but "Received: from" futurequest.net.) We have a custom rule for this

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

Original Message Subject: Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal? From: Matus UHLAR - fantomas To: users@spamassassin.apache.org Date: Tue Oct 31 2017 13:21:10 GMT+0300 (AST) > > 1. spamc requires to 

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

hmmm my hardware shouldn't be improper... the only quirk is that it is the very rare, pre-Intel agreement 3.1GHz QC AMD 2352-based dual socket mobo. It's a somewhat older IBM 3655 server, but it has 64GB of RAM, ServeRAID, dual socket, 8 cores, etc. I could, I'm sure, payback the cost of

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On Mon, 30 Oct 2017 22:35:08 -, David Gessel wrote: 1) sa-learn seems really, really slow. Slow enough that spam sometimes comes in faster. This seems far slower than the benchmark results suggest is within the range of normal. I'm sure I'm doing something really wrong, but not sure

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

Original Message Subject: Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal? From: Kevin Golding To: users@spamassassin.apache.org Date: Tue Oct 31 2017 11:44:20 GMT+0300 (AST) > On Mon, 30 Oct 2017 22:35:08 -000

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Chip M. skrev den 2017-10-31 07:10: http://puffin.net/software/spam/samples/0056_dde_auto.txt send it here https://www.clamav.net/reports/malware so far bitdefender and dr-web detect it as malware

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On Mon, 30 Oct 2017 22:35:08 -, David Gessel wrote: 1) sa-learn seems really, really slow. Slow enough that spam sometimes comes in faster. This seems far slower than the benchmark results suggest is within the range of normal. I'm sure I'm doing something really wrong, but not s

Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On 31.10.17 01:35, David Gessel wrote: amavisd-new-2.11.0_2,1 I'm finding the command /usr/local/bin/sa-learn --spam --showdots /mail/blackrosetech.com/gessel/.Junk/{cur,new} is taking a while to if you use amavis, you must train amavis' bayes database (/var/lib/amavis/.spamassassin/ here), not