John Hardin wrote:
On Thu, 19 Dec 2019, Philipp Ewald wrote:
I have a solution with ClamAV for any image that is "not allowed". I
my case i create a md5sum from images i don't want to receive and but
them into hashtable.
This Hashtable place into /var/lib/clamav/NAME.hsb
/var/lib/clamav/NAME.hsb looks like:
129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage
hash:size:"VIRUS name"
so any new mail with this attachment get treated as virus
To a degree that's just whack-a-mole. It would not be excessively
difficult to make minor alterations to the image sufficient to change
the hash without noticeably changing it visually.
It might be prohibitive to do that per-message, but sending a batch of a
hundred messages while you're modifying the image for the next batch
would probably work.
The ones I've seen are unique per recipient (recipient-specific past
password extracted from some data breach, the phrasing of the text in
the image, and probably the QR codes as well - the couple I've inspected
closely all had different QR codes), and I don't think I've had anyone
report more than two, *maybe* three.
Someone in the spam-sending community is probably making a nice little
Christmas bonus by selling a widget to generate the images...
However, the first ~4K of the samples I've had reported are similar
enough for a pattern signature suitable for a scored Clam instance.
I created a signature using a crude tool I wrote a while ago to take a
set of similar files and spit out a pattern signature for a .ndb
signature file. It essentially runs sigtool --hex-dump on each file,
and then compares the hex values in matching positions.
http://deepnet.cx/~kdeugau/clamtools/siggen
-kgd
