On Thu, 2016-04-21 at 16:07 +0100, RW wrote: > On Thu, 21 Apr 2016 08:33:01 -0500 > Chip M. wrote: > > > > > Starting about two hours ago, about 40% of my real-time > > honeypot spam is a new malware campaign. About a third are > > hitting "BAYES_00", with about 10% of all having negative SA > > scores. :( > > > > Full spample (with munged email addresses): > > http://puffin.net/software/spam/samples/0040_mal_tgz.txt > > Content-Type: application/octet-stream; name="0005500922.tgz" > > I wonder how common octet-stream is with legitimate .tgz > files.
I'd say its not very common at all when included in a commercial e-mail as an attached invoice, purchase order or similar document. I've never seen one, but then again my mail volume is relatively low. In fact I don't think I've ever seen a legitimate .tgz or .gz file that originated outside the Linux/UNIX development environment. As such, it should be quite safe to reject if it is detected by a suitable meta-rule. Martin