Hi Pierre
That's interesting but to me it looks like this .zip is just for hiding it, it's not a real zip file (i doubt you could view a real zip file inline... (and I wouldnt like that neither...))
Here's some more dump from my email: __________
From: "Mail Administrator" <[EMAIL PROTECTED]>
To: xxx
Subject: Returned mail: see transcript for details
Date: Tue, 27 Jul 2004 12:04:59 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_F824EC38.FBF36544"
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000This is a multi-part message in MIME format.
------=_NextPart_000_0001_F824EC38.FBF36544
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bitDear user of student.ethz.ch,
We have received reports that your email account has been used to send a huge amount of junk email during this week. Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, student.ethz.ch user support team.
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: application/octet-stream; name="document.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="document.pif"
wJIqlP/F1Y8......about 20 lines of base64......+qAsLG/
------=_NextPart_000_0001_F824EC38.FBF36544--
_________
Mine actually looks quite normal (mail with attachment) to me... ?
Matt
ps: Yes I know SA isn't here to block my virii but as long as no antivirus company known to me has any signatures for this I need a way to block it... (neither my antivir nor on my laptop my Norton AV 2004 Pro knows this virus...)
Pierre Thomson wrote:
Aha!
I just got one of these myself, and the text is in an inline ZIP file! I don't think any SA rules scan those.
Here's a bit of a raw dump; only the names are changed:
Message-Id: <[EMAIL PROTECTED]> From: "Mail Delivery Subsystem" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Returned mail: see transcript for details Date: Tue, 27 Jul 2004 10:19:05 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_278B1AC0.BB1C5953" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
This is a multi-part message in MIME format.
------=_NextPart_000_0006_278B1AC0.BB1C5953 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
------=_NextPart_000_0006_278B1AC0.BB1C5953 Content-Type: application/octet-stream; name="text.zip" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="text.zip"
...
and it appears like this:
Dear user of domain.com,
Your account was used to send a huge amount of junk email messages during the recent week. We suspect that your computer was infected by a recent virus and now contains a trojaned proxy server.
We recommend you to follow instructions in the attachment in order to keep your computer safe.
Have a nice day, domain.com technical support team.
Hmmmm, what can we do about these? I guess you could block inline "text.zip" until the AV vendors catch up.
PT
-----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 10:25 AM To: Marc Kool Cc: [EMAIL PROTECTED] Subject: Re: Trying to catch those latest virii....
Hi Marc
Thanks for pointing that out - I actually tought I'd be blocking .pifs but didn't think of this when I received that mail - after looking in my amavis I saw that only the double extensions were enabled, I customized the normal ones and activated them.
But I'm still curious WHY my rules didn't catch on anything?!
Like I said, I encountered the same results when using body, rawbody or full and I've also tried with shorter strings like /dear user/i
... but all THIS mails here trigger the rules, but not the original one. Is there something wrong with SA not correctly finding the text?? (I'm using 2.63 btw)
Thanks
Matt
Marc Kool wrote:
Matthias,
I recommend to block all .pif files as well as some other "dangerous ones":
$banned_filename_re = new_RE(From my amavis.conf:
qr'^UNDECIPHERABLE$', # password protected zip files
qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll|reg)$'i, # double extension
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|reg)$'i, # banned extension - basic
qr'.\.(vb|vbe|js|jse|com)$'i, # banned extension - VB and Java
...
Depending on the files that you receive, you may want to remove a few files suffixes.
-Marc
Pierre Thomson wrote:
As others will no doubt point out, SpamAssassin is not a virus scanner, and if you getting viruses through your gateway you should be looking for a better virus scanner...
That said, I would use "body" tests rather than "full". Body tests will strip out invisible HTML codes from the mail, so you can match text as your mail reader displays it.
Also, I would avoid trying to match a very long text string. Rather, look for unique keywords or phrases, like:
body VTEST1 /to send a huge amount of junk email/ describe VTEST1 phrase found in virus mails score VTEST1 2.0
body VTEST2 /compromised and now runs a hidden proxy/ describe VTEST2 phrase found in virus mails score VTEST2 2.0
body VTEST3 /instructions in order to keep your computer/ describe VTEST3 phrase found in virus mails score VTEST3 2.0
It's best to make a set of rules and eith use additive scoring or a META rule to combine them. That way, the occasional mail that may match one test will not be killed.
Pierre Thomson BIC
-----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Trying to catch those latest virii....
Hi
There seems to be a virus spreading, I've received it several times, it goes like this:
Subject: Returned mail: see transcript for details
Body:
Dear user of <maildomain>,
We have received reports that your email account has been used to send a huge amount of junk email during this week.
Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, <maildomain> user support team.
attached is a .pif file no virusscanner (yet?) detects as spam.
So I wanted to write a rule against those sentences, but whatever I try, no rule will match....
I tried:
full _MKE_xVIRUS1 /We have received reports that your email account has been used to send a huge amount of junk email/i
full _MKE_xVIRUS2 /Obviously, your computer was compromised and now runs a hidden proxy server/i
and added for each one a score and a description
I also tried body, rawbody but still NO match at all!
The Mail has a MIME Type of multipart/mixed
and the first part is:
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
<here comes the mail body...>
Am I doing something wrong that my rules wont trigger? The file should be read as other rules out of the same file matched regularly over the last few days...
Thanx
Matt
