You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rob McEwen <ro...@invaluement.com> on 2018/03/27 12:00:31 UTC
sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Today, MUCH sneaky spams are being sent with an attached zipped
malicious URL/shortcut file.
Most or all of these are easily caught by Thread-Index, as follows:
Thread-Index: AdBx5/5UsdSTxflQTPi+FyODmVaqhA==
Perhaps someone can make a rule for this and post it here?
I already set this in another non-SA part of my anti-spam system, but
the rule might help others here. There are also other attributes that
could become an SA rule that would cause a hit even if the Thread-Index
changed, but that will require a little bit more effort.
--
Rob McEwen
https://www.invaluement.com
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Posted by Dave Wreski <dw...@guardiandigital.com>.
Hi,
>> Excellent... except for one potential problem... this is in their
>> "foxhole_all.cdb" file which they label as "high false positive risk"
>> - which could scare some away!
>>
>> For those who don't score very high on ClamAv and/or who are able to
>> score DIFFERENTLY based on different types of Sanesecurity and/or
>> ClamAv results, this is probably OK. But for others who prefer to
>> either outright block or score high on ClamAv, that MIGHT present a
>> problem. On the other hand, maybe Sanesecurity is just being overly
>> cautious (or considering more theoretical FNs?), and such actual FPs
>> in real world mail flow are actually extremely rare?
>>
>> Any Thoughts? Anyone know?
>>
>
> That's interesting because I probably wouldn't have started using
> foxhole_all.cdb if it had been classified like that then. I am not
> getting any reports or finding any problems with FPs.
foxhole_all is just a few dozen(?) lines of rules to tag file types
within zip/rar/7z/arj/exe files.
Perhaps because you're outright rejecting many of these file types already?
Regards,
Dave
>
> 3,110,729 total messages* since March 15th
> 112,477 spam blocked
> 2,071 total viruses found
> 8 Foxhole viruses found
>
> *After MTA rejects based on RBLs and other DNS checks
>
> --
> Dave Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Posted by David Jones <dj...@ena.com>.
On 03/27/2018 09:37 AM, Rob McEwen wrote:
> On 3/27/2018 9:48 AM, David Jones wrote:
>> Looks like ClamAV UNOFFICIAL sigs are detecting this:
>> Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
>
>
> David,
>
> Excellent... except for one potential problem... this is in their
> "foxhole_all.cdb" file which they label as "high false positive risk" -
> which could scare some away!
>
> For those who don't score very high on ClamAv and/or who are able to
> score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv
> results, this is probably OK. But for others who prefer to either
> outright block or score high on ClamAv, that MIGHT present a problem. On
> the other hand, maybe Sanesecurity is just being overly cautious (or
> considering more theoretical FNs?), and such actual FPs in real world
> mail flow are actually extremely rare?
>
> Any Thoughts? Anyone know?
>
That's interesting because I probably wouldn't have started using
foxhole_all.cdb if it had been classified like that then. I am not
getting any reports or finding any problems with FPs.
3,110,729 total messages* since March 15th
112,477 spam blocked
2,071 total viruses found
8 Foxhole viruses found
*After MTA rejects based on RBLs and other DNS checks
--
Dave Jones
--
David Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Posted by Rob McEwen <ro...@invaluement.com>.
On 3/27/2018 9:48 AM, David Jones wrote:
> Looks like ClamAV UNOFFICIAL sigs are detecting this:
> Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
David,
Excellent... except for one potential problem... this is in their
"foxhole_all.cdb" file which they label as "high false positive risk" -
which could scare some away!
For those who don't score very high on ClamAv and/or who are able to
score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv
results, this is probably OK. But for others who prefer to either
outright block or score high on ClamAv, that MIGHT present a problem. On
the other hand, maybe Sanesecurity is just being overly cautious (or
considering more theoretical FNs?), and such actual FPs in real world
mail flow are actually extremely rare?
Any Thoughts? Anyone know?
--
Rob McEwen
https://www.invaluement.com
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Posted by David Jones <dj...@ena.com>.
On 03/27/2018 08:24 AM, Pedro David Marco wrote:
> Thanks Rob, can you pastebin a sample??
>
>
> ----
> PedroD
>
Looks like ClamAV UNOFFICIAL sigs are detecting this:
Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
Clamd: Purchase Order_4014053_27032018.zip was infected:
Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
https://pastebin.com/WwUbWCQY
--
David Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Posted by Pedro David Marco <pe...@yahoo.com>.
Thanks Rob, can you pastebin a sample??
----PedroD