Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

We study our logs and the abuse@ account for gray-zone items. If something "legitimate" occurs, we work on it. The gray-zone shows both genuine spam and legit email, mostly with broken message-ids and recipient domains other than own own. Sent from ProtonMail Mobile On Wed, Nov 1, 2017 at 4:37

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Wed, 1 Nov 2017, Rupert Gallagher wrote: We apply a no-nonsense policy, mirroring paper mail policy. Both mail and e-mail sent to undisclosed recipients is either paid-for massmail or spam. I'll grant "largely", but there are legitimate uses for BCC. I hope you're only enforcing this poli

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

We apply a no-nonsense policy, mirroring paper mail policy. Both mail and e-mail sent to undisclosed recipients is either paid-for massmail or spam. Paper junk and e-mail junk whose origin is verifiable and within legal domain goes to the lawyer, who sues the sender and gets an economic compensa

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Nov 1, 2017, at 00:52, Rupert Gallagher wrote: > By local policy, we *reject* e-mail to undisclosed recipient, so this is not > a problem for us. You are rejecting legitimate mail then. -- This is my signature. There are many like it, but this one is mine.

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Maybe they are reading this thread and trying to patch their setup, and we are reading them while they do it. This is not exactly a post-mortem. Sent from ProtonMail Mobile On Wed, Nov 1, 2017 at 4:07 AM, Bill Cole wrote: > On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote: > Addenda: >

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017 at 8:38 PM, Alex wrote: > This will also hit undisc-recips mail, By local policy, we *reject* e-mail to undisclosed recipient, so this is not a problem for us. > bcc, As above, Bccs are rejected by local policy. Each e-mail must be explicitly addressed to us, and its ori

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote: Addenda: From: Invoicing unbound-host -rvD canadianchemistry.ca canadianchemistry.ca has address 168.144.155.97 (insecure) canadianchemistry.ca has no IPv6 address (insecure) canadianchemistry.ca mail is handled by 0 canadianchemis

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Hi, On Tue, Oct 31, 2017 at 6:49 AM, Rupert Gallagher wrote: > This is my reading of it. > > - You may have received an e-mail addressed to someone-else. > I do not know your setup, but this is what it looks like from my seat. > (Sent "To" @puffin.net, but "Received: from" futurequest.net.) > We

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017, David Jones wrote: >Add the Lashback RBL. I am trying to get this added to the default SA >rules. See my post on 2017-10-17 in the following link and increase the >scores after some testing. David, after your Lashback post, I had added it to my FP pipeline (i.e. run fro

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

yes, again Sent from ProtonMail Mobile On Tue, Oct 31, 2017 at 1:36 PM, David Jones wrote: >> On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote: >> Addenda: >> >> >> > From: Invoicing > > >> >> SPF should fail hard here. How do you know >> what the envelope-from domain is from that s

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote: Addenda: > From: Invoicing > SPF should fail hard here. How do you know what the envelope-from domain is from that sample? SPF uses the envelope-from not the From:

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

correct! Sent from ProtonMail Mobile On Tue, Oct 31, 2017 at 12:57 PM, Benny Pedersen wrote: > Rupert Gallagher skrev den 2017-10-31 12:00: >> From: Invoicing >> Received: > from not from Microsoft > SPF should fail hard here. from: header is not > envelope sender as spf is testing, so

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Rupert Gallagher skrev den 2017-10-31 12:00: From: Invoicing Received: from not from Microsoft SPF should fail hard here. from: header is not envelope sender as spf is testing, so that domain is only usable to test dkim if it was signed

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Received: from not from Microsoft SPF should fail hard here. RG Sent with [ProtonMail](https://protonmail.com) Secure Email. > Original Message > Subject: Re: spample: Microsoft Office DDE exploit (in OpenXML attachment) > Local Time: 31 October 2017 11:49 AM >

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

io Our SA returns a big fat spam flag. RG Sent with [ProtonMail](https://protonmail.com) Secure Email. > Original Message ---- > Subject: spample: Microsoft Office DDE exploit (in OpenXML attachment) > Local Time: 31 October 2017 7:10 AM > UTC Time: 31 October 2017 06:10

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

Chip M. skrev den 2017-10-31 07:10: http://puffin.net/software/spam/samples/0056_dde_auto.txt send it here https://www.clamav.net/reports/malware so far bitdefender and dr-web detect it as malware

spample: Microsoft Office DDE exploit (in OpenXML attachment)

Starting Monday late pm (Iowa time), I've been seeing my first DDE exploits, with significant volume. Here's a spample, with only the account part of the To header munged: http://puffin.net/software/spam/samples/0056_dde_auto.txt The MIME part Content Types are all of the same form, with o