New rule wanted

[Rupert Gallagher <ru...@protonmail.com>]

I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one".

The file turns out to be a Windows Trojan:

https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b

Both SA and ClamAV passed it as legit.

We should have a SA rule that says: "attached file with unknown data type".

Re: New rule wanted

[Benny Pedersen <me...@junc.eu>]

Rupert Gallagher skrev den 2023-02-07 11:15:

> https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
> 
> Both SA and ClamAV passed it as legit.
> 
> We should have a SA rule that says: "attached file with unknown data
> type".

or https://sanesecurity.com/foxhole-databases/

Re: New rule wanted

[Benny Pedersen <me...@junc.eu>]

Loren Wilton skrev den 2023-02-07 11:43:
> I believe 3MB is above the default scan size for SA, so likely it
> won't even look at the file.

lets say sender did not know this ?

if it was linux elf i would compiled itself with gcc :)

dont accept precompiled files in email ever

Re: New rule wanted

[Loren Wilton <lw...@earthlink.net>]

I believe 3MB is above the default scan size for SA, so likely it won't even look at the file.

        Loren
  ----- Original Message ----- 
  From: Rupert Gallagher 
  To: users@spamassassin.apache.org 
  Sent: Tuesday, February 07, 2023 2:26 AM
  Subject: Re: New rule wanted


  Note: Both client and server are not Windows. The attached file type is a generic "data" on unix. On a Windows client the file runs as executable. A SA rule should merely detect that the file type is a generic "data" file.
  -------- Original Message --------
  On Feb 7, 2023, 11:15, Rupert Gallagher < ruga@protonmail.com> wrote:

    I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one".

    The file turns out to be a Windows Trojan:

    https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b

    Both SA and ClamAV passed it as legit.

    We should have a SA rule that says: "attached file with unknown data type". 

Re: New rule wanted

[Rupert Gallagher <ru...@protonmail.com>]

Note: Both client and server are not Windows. The attached file type is a generic "data" on unix. On a Windows client the file runs as executable. A SA rule should merely detect that the file type is a generic "data" file.
-------- Original Message --------
On Feb 7, 2023, 11:15, Rupert Gallagher wrote:

> I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one".
>
> The file turns out to be a Windows Trojan:
>
> https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
>
> Both SA and ClamAV passed it as legit.
>
> We should have a SA rule that says: "attached file with unknown data type".

Re: New rule wanted

["Laurent S." <11...@protonmail.ch>]

I've seen this wave too.

You could use such a rule:
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader ONENOTE_ATTACHED Content-Type =~ /\.one[";$]/i
describe ONENOTE_ATTACHED Attached OneNote score ONENOTE_ATTACHED 5.0
end if

Make sure MIMEHeader is loaded. I haven't used that rule in prod so I don't guarantee it will perfectly work. We use fuglu to put mails in quarantine based on file attachment.

ClamAV does not recognize attachments inside OneNote files, so most signatures don't hit as one would expect. But looking for .hta inside those OneNote helped me block more or less all those mails (that were not blocked earlier by RBLs).

Good luck,
Laurent S.