On Mon, 3 Oct 2016, Axb wrote:
On 10/03/2016 09:03 PM, John Hardin wrote:
On Mon, 3 Oct 2016, Axb wrote:
> On 10/03/2016 07:46 PM, Alex wrote:
> > Hi,
> >
> > These are a real concern. If you receive any kind of real mail
> > volume,
> > you're receiving these too, and they're not always being caught by
> > RBLs or virus scanners. Or even our well-trained bayes.
> >
> > http://pastebin.com/YhLBqpKm
> >
> > I used to have some rules that would reliably block them, but they're
> > not performing well now at all.
> >
> > I'm posting this in hopes someone has some other ideas, as well as to
> > raise awareness about their existence.
> >
> > Ideas greatly appreciated.
>
> SA isn't the right tool to detect virus infected attachments
Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
PDFs (which I am starting to see).
John,
That sample has an attached bulk_inquiry_317141.doc
not a PDF.
Yeah. I was (too) quickly responding to "phishing" and "PDF" in the
subject line, and bayes not catching them.
ClamAV is probably the correct approach to macro-based malware, unless we
want to do a MS Office document plugin with something like an eval for
has_macros().
I haven't looked at the spample doc in detail, but I will (again) plug my
email sanitizer, which does document macro scanning and might be able to
catch these:
http://www.impsec.org/email-tools/procmail-security.html
Some of the approaches there could probably be usefully extracted to SA
plugins.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Your mouse has moved. Your Windows Operating System must be
relicensed due to this hardware change. Please contact Microsoft
to obtain a new activation key. If this hardware change results in
added functionality you may be subject to additional license fees.
Your system will now shut down. Thank you for choosing Microsoft.
-----------------------------------------------------------------------
286 days since the first successful real return to launch site (SpaceX)