Re: new emotet campain

On 18/09/19 21:05, Amir Caspi wrote: Since the return code for the domain is specifically regarding malware, shouldn't the score be higher?  I would imagine the purpose of the unique Spamhaus return codes is to enable such granularity in scoring on the user end... I can't speak about SA

Re: new emotet campain

On Sep 18, 2019, at 3:19 AM, Riccardo Alfieri wrote: > > You are correct, URLhaus domains enter DBL as abused legit malware, but the > default SA score is not enough to mark the email as spam (and that's correct > as it checks only the domain). Since the return code for the domain is

Re: new emotet campain

On Wed, Sep 18, 2019 at 09:19:17AM +, Riccardo Alfieri wrote: > On 17/09/19 20:54, Amir Caspi wrote: > > >Based on https://feodotracker.abuse.ch/mitigate/, it looks like both > >Spamhaus DBL and SURBL are fed by URLhaus.  Spamhaus returns 127.0.1.105 > >for URLs fed from URLhaus.  Doesn't SA

Re: new emotet campain

On 17/09/19 20:54, Amir Caspi wrote: Based on https://feodotracker.abuse.ch/mitigate/, it looks like both Spamhaus DBL and SURBL are fed by URLhaus.  Spamhaus returns 127.0.1.105 for URLs fed from URLhaus.  Doesn't SA already handle this, then, for URLs it processes, since it uses the DBL?

Re: new emotet campain

On Sep 17, 2019, at 12:15 PM, John Hardin wrote: > > On Tue, 17 Sep 2019, hg user wrote: > >> It is a "dumb" rule but the quicker I could create. >> >> https://pastebin.com/bxRSds7a > > Suggestions: > > (1) use a URI rule rather than a BODY rule > > (2) escape the periods; you want to match

Re: new emotet campain

On Tue, 17 Sep 2019, hg user wrote: It is a "dumb" rule but the quicker I could create. https://pastebin.com/bxRSds7a Suggestions: (1) use a URI rule rather than a BODY rule (2) escape the periods; you want to match a period, not any-character. On Tue, Sep 17, 2019 at 11:59 AM Blason R

Re: new emotet campain

these rules are from "epoch 2" campain and according to the docs are included in the email... as far as i understand i don't have clamav active in this moment On Tuesday, September 17, 2019, Axb wrote: > I doubt you'll see many hits on that rule as I'd expect most URIS being > included in

Re: new emotet campain

I doubt you'll see many hits on that rule as I'd expect most URIS being included in the infected attachments. Imo, the ClamAV sigs make more sense. On 9/17/19 12:36 PM, hg user wrote: It is a "dumb" rule but the quicker I could create. https://pastebin.com/bxRSds7a On Tue, Sep 17, 2019 at

Re: new emotet campain

It is a "dumb" rule but the quicker I could create. https://pastebin.com/bxRSds7a On Tue, Sep 17, 2019 at 11:59 AM Blason R wrote: > If possible please share it here? > > On Tue, Sep 17, 2019 at 3:20 PM hg user wrote: > >> A new emotet campain is in progress

Re: new emotet campain

On 17/09/19 11:59, Blason R wrote: If possible please share it here? On Tue, Sep 17, 2019 at 3:20 PM hg user > wrote: A new emotet campain is in progress (https://twitter.com/Cryptolaemus1) and I created a rule... I don't know if is it possible to

Re: new emotet campain

If possible please share it here? On Tue, Sep 17, 2019 at 3:20 PM hg user wrote: > A new emotet campain is in progress (https://twitter.com/Cryptolaemus1) > and I created a rule... I don't know if is it possible to share (via > pastebin) the rule I created to have feedback from the experts... >