You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bob Pierce <pi...@westmancom.com> on 2008/08/20 23:53:35 UTC
UPS / FedEx spam with virus attached
We've been seeing lots of messages with contents similar to this:
"Unfortunately we were not able to deliver postal package you
sent on July the 25 in time because the recipient's address is not
correct.
Please print out the invoice copy attached and collect the package at
our office."
Of course the zip attachment contains a virus, and ClamAV does not seem
to be catching that either.
Has anyone else been getting lots of these? If so, what are you doing to
block them?
Bob
Re: UPS / FedEx spam with virus attached
Posted by jdow <jd...@earthlink.net>.
I know F-Secure is experiencing problems with the new family of malware.
They've had at least two "mis-fires" on legitimate system files and
things like the googletoolbarinstall.exe file. I bet ClamAV is also
aware of the potential for misfires on legitimate files which is making
them slow on the update.
With the recent "wide open" crack for Vista I figure the AV people have
their hands full trying to block those exploits. (The new exploit happens
to exploit the security measures in Vista. Oops!)
So as you notice the files generate rules to block them. I often put a
score over 100 on such things with the plan to someday direct such to a
severe pig-pen or perhaps /dev/null.
{^_^}
----- Original Message -----
From: "Bob Pierce" <pi...@westmancom.com>
Sent: Wednesday, 2008, August 20 14:53
> We've been seeing lots of messages with contents similar to this:
>
> "Unfortunately we were not able to deliver postal package you
> sent on July the 25 in time because the recipient's address is not
> correct.
> Please print out the invoice copy attached and collect the package at
> our office."
>
> Of course the zip attachment contains a virus, and ClamAV does not seem
> to be catching that either.
>
> Has anyone else been getting lots of these? If so, what are you doing to
> block them?
>
> Bob
RE: UPS / FedEx spam with virus attached
Posted by Giampaolo Tomassoni <g....@libero.it>.
> -----Original Message-----
> From: Bob Pierce [mailto:pierceb@westmancom.com]
> Sent: Wednesday, August 20, 2008 11:54 PM
> To: users@spamassassin.apache.org
> Subject: UPS / FedEx spam with virus attached
>
> We've been seeing lots of messages with contents similar to this:
>
> "Unfortunately we were not able to deliver postal package you
> sent on July the 25 in time because the recipient's address is not
> correct.
> Please print out the invoice copy attached and collect the package at
> our office."
>
> Of course the zip attachment contains a virus, and ClamAV does not seem
> to be catching that either.
>
> Has anyone else been getting lots of these? If so, what are you doing
> to
> block them?
In small amavisd-based setups like mines you can easily ban .exe and the
likes.
Anyway, this kind of messages should get enough spam points to be blocked.
How much do they score in your setup?
Giampaolo
>
> Bob
Re: UPS / FedEx spam with virus attached
Posted by Matt Garretson <ma...@assembly.state.ny.us>.
Bob Pierce wrote:
> Of course the zip attachment contains a virus, and ClamAV does not seem
> to be catching that either.
At my site, ClamAV has been catching them as "Email.Trojan.GZC" for
some time. You might want to check your ClamAV patterns and/or config.
For newer ones that Clam doesn't yet catch, MIMEdefang might be an option
if you use sendmail. filter_bad_filename() is the applicable function.
-Matt
Re: UPS / FedEx spam with virus attached
Posted by Sanesecurity <st...@webtribe.net>.
Bob Pierce wrote:
>
> Has anyone else been getting lots of these? If so, what are you doing to
> block them?
Hi Bob,
Try adding these signatures to your clamav database and restart clamd.
http://www.sanesecurity.co.uk/clamav/downloads.htm
http://www.sanesecurity.co.uk/clamav/usage.htm
I've been blocking these for a quite a few days now:
(Email.Malware.Sanesecurity.08072227 [added 22nd July 2008])
Cheers,
Steve
Sanesecurity
--
View this message in context: http://www.nabble.com/UPS---FedEx-spam-with-virus-attached-tp19078794p19086442.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: UPS / FedEx spam with virus attached
Posted by Giampaolo Tomassoni <g....@libero.it>.
> -----Original Message-----
> From: Michael Scheidell [mailto:scheidell@secnap.net]
> Sent: Thursday, August 21, 2008 12:12 AM
> To: Bob Pierce; users@spamassassin.apache.org
> Subject: Re: UPS / FedEx spam with virus attached
>
>
> > From: Bob Pierce <pi...@westmancom.com>
> > Date: Wed, 20 Aug 2008 16:53:35 -0500
> > To: <us...@spamassassin.apache.org>
> > Subject: UPS / FedEx spam with virus attached
> >
> > We've been seeing lots of messages with contents similar to this:
> >
> > "Unfortunately we were not able to deliver postal package you
> > sent on July the 25 in time because the recipient's address is not
> > correct.
> > Please print out the invoice copy attached and collect the package at
> > our office."
> >
> > Of course the zip attachment contains a virus, and ClamAV does not
> seem
> > to be catching that either.
> >
> > Has anyone else been getting lots of these? If so, what are you doing
> to
> > block them?
>
> We use amavisd-new to quarantine any zip files with executables.
>
> Oh, the postal one is old. Watch for a new one. Journalists shot in
> georgia.
> Password protected zip file. Password in email
> Any user who goes through the trouble to unzip/put in password then
> click on
> executable deserves to get infected. (clamav can mark encrypted files
> as
> 'virus' if you edit the clamd.conf file)
Often these messages carry the very same encrypted zip file, thereby it may
help to report the encrypted zip to the ClamAV database: they will mark the
file as "encrypted virus" or something like that.
I did once some days ago and it worked. Not a blazing round-trip time, but
nevertheless it did the job.
Giampaolo
>
> --
> Michael Scheidell, CTO
> >|SECNAP Network Security
> Winner 2008 Network Products Guide Hot Companies
> FreeBSD SpamAssassin Ports maintainer
>
>
>
> >
> > Bob
> >
>
> _______________________________________________________________________
> __
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com
> _______________________________________________________________________
> __
Re: UPS / FedEx spam with virus attached
Posted by jdow <jd...@earthlink.net>.
From: "Michael Scheidell" <sc...@secnap.net>
Sent: Wednesday, 2008, August 20 15:12
>
>> From: Bob Pierce <pi...@westmancom.com>
>> Date: Wed, 20 Aug 2008 16:53:35 -0500
>> To: <us...@spamassassin.apache.org>
>> Subject: UPS / FedEx spam with virus attached
>>
>> We've been seeing lots of messages with contents similar to this:
>>
>> "Unfortunately we were not able to deliver postal package you
>> sent on July the 25 in time because the recipient's address is not
>> correct.
>> Please print out the invoice copy attached and collect the package at
>> our office."
>>
>> Of course the zip attachment contains a virus, and ClamAV does not seem
>> to be catching that either.
>>
>> Has anyone else been getting lots of these? If so, what are you doing to
>> block them?
>
> We use amavisd-new to quarantine any zip files with executables.
>
> Oh, the postal one is old. Watch for a new one. Journalists shot in
> georgia.
> Password protected zip file. Password in email
> Any user who goes through the trouble to unzip/put in password then click
> on
> executable deserves to get infected. (clamav can mark encrypted files as
> 'virus' if you edit the clamd.conf file)
And THAT one is getting old. There will be a new one. It's times like
this that need extreme agility on the part of making rules.
{^_^}
Re: UPS / FedEx spam with virus attached
Posted by Michael Scheidell <sc...@secnap.net>.
> From: Bob Pierce <pi...@westmancom.com>
> Date: Wed, 20 Aug 2008 16:53:35 -0500
> To: <us...@spamassassin.apache.org>
> Subject: UPS / FedEx spam with virus attached
>
> We've been seeing lots of messages with contents similar to this:
>
> "Unfortunately we were not able to deliver postal package you
> sent on July the 25 in time because the recipient's address is not
> correct.
> Please print out the invoice copy attached and collect the package at
> our office."
>
> Of course the zip attachment contains a virus, and ClamAV does not seem
> to be catching that either.
>
> Has anyone else been getting lots of these? If so, what are you doing to
> block them?
We use amavisd-new to quarantine any zip files with executables.
Oh, the postal one is old. Watch for a new one. Journalists shot in
georgia.
Password protected zip file. Password in email
Any user who goes through the trouble to unzip/put in password then click on
executable deserves to get infected. (clamav can mark encrypted files as
'virus' if you edit the clamd.conf file)
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
>
> Bob
>
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________