You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/09/18 18:58:49 UTC
Legitimate dropbox accounts used for malware
Hi,
I've whitelisted dropbox so I can use some aggressive rules to block
phishing attacks involving dropbox. The problem I'm now having is
legitimate dropbox accounts are being used to send malware with links
to dropbox accounts to download these malicious files.
https://pastebin.com/raw/PFpJeYDX
This email likely would have been tagged if it wasn't for being
whitelisted by SPF. The language in the body is clearly spam.
Does anyone have any recommendations on how to handle this? I found
this because two of my users reported it. We can report it to dropbox,
but that's after the fact.
Re: Legitimate dropbox accounts used for malware
Posted by David Jones <dj...@ena.com>.
On 09/18/2017 01:58 PM, Alex wrote:
> Hi,
> I've whitelisted dropbox so I can use some aggressive rules to block
> phishing attacks involving dropbox. The problem I'm now having is
> legitimate dropbox accounts are being used to send malware with links
> to dropbox accounts to download these malicious files.
>
> https://pastebin.com/raw/PFpJeYDX
>
> This email likely would have been tagged if it wasn't for being
> whitelisted by SPF. The language in the body is clearly spam.
>
> Does anyone have any recommendations on how to handle this? I found
> this because two of my users reported it. We can report it to dropbox,
> but that's after the fact.
>
Report it to abuse@amazonaws.com and SpamCop which will also report it
to the same Amazon abuse.
Google for "Amazon abuse" and "dropbox abuse". Dropbox has an abuse
reporting process page.
--
David Jones
Re: Legitimate dropbox accounts used for malware
Posted by John Hardin <jh...@impsec.org>.
On Mon, 18 Sep 2017, Alex wrote:
> Hi,
> I've whitelisted dropbox so I can use some aggressive rules to block
> phishing attacks involving dropbox. The problem I'm now having is
> legitimate dropbox accounts are being used to send malware with links
> to dropbox accounts to download these malicious files.
>
> https://pastebin.com/raw/PFpJeYDX
>
> This email likely would have been tagged if it wasn't for being
> whitelisted by SPF. The language in the body is clearly spam.
>
> Does anyone have any recommendations on how to handle this? I found
> this because two of my users reported it. We can report it to dropbox,
> but that's after the fact.
Don't whitelist dropbox as a whole. Whitelist specific real dropbox users
if you must to get them past SA, on explicit request. This of course
depends on the size of your userbase.
Alternatively, write a meta to offset *most* of the negative points from
the whitelisting, so that the rest of the rules do still have some chance
of having an effect.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Public Education: the bureaucratic process of replacing
an empty mind with a closed one. -- Thorax
-----------------------------------------------------------------------
Tomorrow: Talk Like a Pirate day