On 02/19/2015 06:25 PM, Alex Regan wrote:
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file
Thank you all for your comments, very much appreciated
Tony
Date: Wed, 18 Feb 2015 12:28:11 -0700
From: ml-node+s1065346n114635...@n5.nabble.com
To: tiar...@hotmail.com
Subject: Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn [hidden
I use amavis-new and block based on file type. My users should never get legit
executables via email, so they are sent to a quarantine.
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types,
Am 19.02.2015 um 14:46 schrieb Chad M Stewart:
I use amavis-new and block based on file type. My users should never get legit
executables via email, so they are sent to a quarantine.
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
Hello.
I am just curious, since I am using SaneSecurity
signatures too.
According to: http://sanesecurity.com/usage/signatures/
some of the lists you mentioned have been classified
with 'medium' to 'high' risk of false positives:
foxhole_*
spear / spearl
Did you not get into trouble with
Am 19.02.2015 um 16:13 schrieb Matteo Dessalvi:
I am just curious, since I am using SaneSecurity
signatures too.
According to: http://sanesecurity.com/usage/signatures/
some of the lists you mentioned have been classified
with 'medium' to 'high' risk of false positives:
foxhole_*
spear /
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in case of
emails containing MS office attachments with a Malicious VB script
cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
Am 19.02.2015 um 15:43 schrieb David F. Skoll:
On Thu, 19 Feb 2015 09:34:28 -0500
Alex Regan mysqlstud...@gmail.com wrote:
[David Skoll]
spreadsheet with a macro virus in it. ClamAV is essentially
useless at detecting viruses, so it's a real problem... any ideas?
Useless? Are you using
On Thu, 19 Feb 2015, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart c...@balius.com wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart c...@balius.com wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :(
On 02/19/2015 03:24 PM, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart c...@balius.com wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those
On Thu, 19 Feb 2015 09:34:28 -0500
Alex Regan mysqlstud...@gmail.com wrote:
[David Skoll]
spreadsheet with a macro virus in it. ClamAV is essentially
useless at detecting viruses, so it's a real problem... any ideas?
Useless? Are you using the third-party patterns?
No, because when I
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro
Am 19.02.2015 um 15:47 schrieb Dave Funk:
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in
case of emails containing MS office attachments with a Malicious VB
script
cat /etc/postfix/mime_header_checks.cf
On February 19, 2015 3:26:00 PM David F. Skoll d...@roaringpenguin.com
wrote:
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro virus in it. ClamAV is essentially useless at detecting
viruses,
sent to the client?
Jesse
Cheers
Tony
__
Date: Wed, 18 Feb 2015 06:08:30 -0700
From: [hidden email]
To: [hidden email]
Subject: Re: Recent spate of Malicious VB attachments II
On 02/18/2015 01:09 PM, Tonyata wrote
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn jqu...@pccc.com wrote:
On 2/18/2015 2:10 PM, Reindl Harald wrote:
the source contains at least socket:// and heavy pulsating disk-IO
noticed from the RAID10 as long the process was active - will give
it a try in a isolated VM to look what it
On Wed, 18 Feb 2015, David F. Skoll wrote:
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell je...@kci.net wrote:
Another option might be to add a virus scanner to your pop/imap
server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office
On 2/18/2015 2:10 PM, Reindl Harald wrote:
Am 18.02.2015 um 20:00 schrieb David F. Skoll:
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin jhar...@impsec.org wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven
otherwise, IMO.
(And adding
On Wed, 18 Feb 2015 20:10:46 +0100
Reindl Harald h.rei...@thelounge.net wrote:
it would be nice when SA adds a *low score* in case of documents
containing macros - that may make the difference in a milter setup in
combination with other rules and bayes to reject or not
Yeah, that's what we
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell je...@kci.net wrote:
Another option might be to add a virus scanner to your pop/imap
server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin jhar...@impsec.org wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven otherwise, IMO.
(And adding the ability for MS Office macros to execute external programs
and fetch content over the
Am 18.02.2015 um 20:00 schrieb David F. Skoll:
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin jhar...@impsec.org wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven otherwise, IMO.
(And adding the ability for MS Office macros to execute
To: tiar...@hotmail.com
Subject: Re: Recent spate of Malicious VB attachments II
On 02/18/2015 01:09 PM, Tonyata wrote:
Posting again as the original post didn't hit the mailing list -
Hi Guys,
Last week my company received a noticeable increase in emails containing MS
office
On 02/18/2015 01:09 PM, Tonyata wrote:
Posting again as the original post didn't hit the mailing list -
Hi Guys,
Last week my company received a noticeable increase in emails containing MS
office attachments with a Malicious VB script which downloaded something
nasty.
For example Subj -
On Wed, 18 Feb 2015, Tonyata wrote:
Thanks for your feedback, much appreciated
We do regularly review our AV solution and are generally happy with what we
have in place. The issue was and continues to be that this is new variant
Malware so by the time the AV's catch-up we already have a
of stuff more
efficiently and on a more generic basis but without introducing FP risk?
Thanks in advance
ata
--
View this message in context:
http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621.html
Sent from the SpamAssassin - Users mailing list
28 matches
Mail list logo
