Re: Random word spams and wiki spams

Fri, 07 Jul 2017 13:32:30 -0700 

On 07/07/2017 03:08 PM, Alex wrote:

Hi,

On Fri, Jul 7, 2017 at 3:45 PM, John Hardin <jhar...@impsec.org> wrote:

On Fri, 7 Jul 2017, Alex wrote:


It's just a short body with a URI which downloads malware. We got hit
by this pretty hard. This is where the real threats are. Receive one
of these to an Exchange distribution list and your reputation with the
customer suffers badly.


Defense in depth. For that sort of thing you also need dynamic blocking of
the malware hosts (as much as is possible) in either your site web proxy (if
you have one) or your firewall rules.


Yes, absolutely. We have scripts that can be used to populate a local
RBLs that extract the from, IPs, etc, and provide the ability to drop
them into a postfix client_access blocklist. It's easy to stop them
after the fact.

The problem (in this case) was that they were received over the course
of a few days during the 4th holiday, then we got burnt when everyone
came back to the office. Generally, though, there could be ten
malicious emails received, a handful will actually click, while others
report them, which is enough to tarnish reputation.

When there's a small handful of malicious emails that make it through,
among hundreds of thousands received per day, it's just not possible
to go through them. A more automated or assisted method is necessary,
or better protection to begin with...



Alex,
Since you have Invaluement feed, do you have the Invaluement URIBL rules setup? (Not just the sip.invaluement.com RBL.) These catch a lot of malicious URLs: 

##{ URIBL_IVMURI ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

urirhssub       URIBL_IVMURI    uri.invaluement.com. A 2
body            URIBL_IVMURI    eval:check_uridnsbl('URIBL_IVMURI')
describe        URIBL_IVMURI    listed on ivmSIP/24 found at invaluement.com
tflags          URIBL_IVMURI    net
score           URIBL_IVMURI    8.2

urirhssub       URIBL_IVMRHSBL  uri.invaluement.com.   A    127.0.0.2
tflags          URIBL_IVMRHSBL  net
score           URIBL_IVMRHSBL  3.2

endif
##} URIBL_IVMURI ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
reuse           URIBL_IVMURI
endif
##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL


ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IVMBL eval:check_rbl('ivmbl-lastexternal','sip.invaluement.com') 
tflags          RCVD_IN_IVMBL   net
score           RCVD_IN_IVMBL   4.2
header RCVD_IN_IVM24BL eval:check_rbl('ivm24bl-lastexternal','sip24.invaluement.com') 
tflags          RCVD_IN_IVM24BL net
score           RCVD_IN_IVM24BL 3.2

endif


--
Dave

Reply via email to