You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "David F. Skoll" <df...@roaringpenguin.com> on 2013/06/21 19:40:01 UTC
New virus outbreak with malformed payload
Hi,
We're seeing a huge rash of viruses with malformed payloads. They're
supposed to contain a ZIP file, but the MIME part supposedly containing
the ZIP file simply contains:
Error[Base64]
Sample: http://pastebin.com/fkjf9LHR
Yesterday, they were "Scanned Copy" spams from an HP printer. Today they
are "Invoice Notification for June 2013" spams.
Annoyingly, the envelope sender is no-reply@intuit.com which has an
SPF permerror... FAIL.
$ spfquery --id intuit.com --ip 192.168.1.1
permerror
intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com
*sigh*
Anyone else seeing tons of these?
Regards,
David.
Re: New virus outbreak with malformed payload
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
We had none yesterday but some 700 today which is a decent amount.
However, the attachments were filtered as bad filenames and quarantined
which adds a 2.5 score to our spam tests which also blocked all of them
so very few made it to inboxes.
Regards,
KAM
On 6/21/2013 1:40 PM, David F. Skoll wrote:
> Hi,
>
> We're seeing a huge rash of viruses with malformed payloads. They're
> supposed to contain a ZIP file, but the MIME part supposedly containing
> the ZIP file simply contains:
>
> Error[Base64]
>
> Sample: http://pastebin.com/fkjf9LHR
>
> Yesterday, they were "Scanned Copy" spams from an HP printer. Today they
> are "Invoice Notification for June 2013" spams.
>
> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.
>
> $ spfquery --id intuit.com --ip 192.168.1.1
> permerror
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com
>
> *sigh*
>
> Anyone else seeing tons of these?
>
> Regards,
>
> David.
--
*Kevin A. McGrail*
President
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
KMcGrail@PCCC.com <ma...@pccc.com>
Re: New virus outbreak with malformed payload
Posted by Jay Plesset <ja...@dp-design.com>.
yes, saw both the scanner ones and the new ones, too.
jay plesset
IT, dp-design.com
On 6/21/2013 10:40 AM, David F. Skoll wrote:
> Hi,
>
> We're seeing a huge rash of viruses with malformed payloads. They're
> supposed to contain a ZIP file, but the MIME part supposedly containing
> the ZIP file simply contains:
>
> Error[Base64]
>
> Sample: http://pastebin.com/fkjf9LHR
>
> Yesterday, they were "Scanned Copy" spams from an HP printer. Today they
> are "Invoice Notification for June 2013" spams.
>
> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.
>
> $ spfquery --id intuit.com --ip 192.168.1.1
> permerror
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded
> Received-SPF: permerror (intuit.com ... spf-ext-a.intuit.com: Maximum DNS-interactive terms limit (10) exceeded) identity=mailfrom; envelope-from=intuit.com
>
> *sigh*
>
> Anyone else seeing tons of these?
>
> Regards,
>
> David.
Re: New virus outbreak with malformed payload
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Fri, 21 Jun 2013 19:56:19 +0200
Benny Pedersen <me...@junc.eu> wrote:
> > Annoyingly, the envelope sender is no-reply@intuit.com which has an
> > SPF permerror... FAIL.
> and you accept permerror :)
Well, what would you suggest? :) I don't think our customers would
accept unconditional blocking of intuit.com or microsoft.com (another
offender.)
> is the zipfile always 6 bytes where the 2 first chars is not pk ?,
> that is not even a zip file then
It's not even a valid attachment because the encoding is wrong.
The viruses are easy to detect and stop. They are just annoying. (And
some of them don't have malformed attachments; some really do have valid
zip files with an embedded .EXE. Weird.)
Regards,
David.
Re: New virus outbreak with malformed payload
Posted by Benny Pedersen <me...@junc.eu>.
David F. Skoll skrev den 2013-06-21 19:40:
> Annoyingly, the envelope sender is no-reply@intuit.com which has an
> SPF permerror... FAIL.
and you accept permerror :)
> *sigh*
is the zipfile always 6 bytes where the 2 first chars is not pk ?, that
is not even a zip file then
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it