On 10/3/2016 4:30 PM, John Hardin wrote:
On Mon, 3 Oct 2016, Axb wrote:
On 10/03/2016 09:03 PM, John Hardin wrote:
On Mon, 3 Oct 2016, Axb wrote:
> On 10/03/2016 07:46 PM, Alex wrote:
> > Hi,
> > > > These are a real concern. If you receive any kind of real
mail > > volume,
> > you're receiving these too, and they're not always being
caught by
> > RBLs or virus scanners. Or even our well-trained bayes.
> > > > http://pastebin.com/YhLBqpKm
> > > > I used to have some rules that would reliably block them,
but they're
> > not performing well now at all.
> > > > I'm posting this in hopes someone has some other ideas, as
well as to
> > raise awareness about their existence.
> > > > Ideas greatly appreciated.
> > SA isn't the right tool to detect virus infected attachments
Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
PDFs (which I am starting to see).
John,
That sample has an attached bulk_inquiry_317141.doc
not a PDF.
Yeah. I was (too) quickly responding to "phishing" and "PDF" in the
subject line, and bayes not catching them.
ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().
I haven't looked at the spample doc in detail, but I will (again) plug
my email sanitizer, which does document macro scanning and might be
able to catch these:
http://www.impsec.org/email-tools/procmail-security.html
Some of the approaches there could probably be usefully extracted to
SA plugins.
There's been discussion on the MIMEDefang list about dealing with word
macros, and some people have posted good perl snippets as well that you
can add to your filters if you use it. If you just want to detect the
presence of macros in any form, writing that in ClamAV's signature
system would probably be doable, but far more annoying than just a bit
of code.