You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/07/04 16:38:53 UTC
svn commit: r1835065 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Wed Jul 4 16:38:53 2018
New Revision: 1835065
URL: http://svn.apache.org/viewvc?rev=1835065&view=rev
Log:
Add malware attachment rule, see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1835065&r1=1835064&r2=1835065&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Jul 4 16:38:53 2018
@@ -118,6 +118,12 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
describe DOC_ATTACH_NO_EXT Document attachment with suspicious name
mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
+
+ # see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
+ mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i
+ mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
+ meta MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02
+ describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
else
meta __HTML_ATTACH_01 0
meta __HTML_ATTACH_02 0
@@ -126,6 +132,8 @@ else
meta __PDF_ATTACH 0
meta __ATTACH_NAME_NO_EXT 0
meta __ZIP_ATTACH_MT 0
+ meta __MALW_ATTACH_01_01 0
+ meta __MALW_ATTACH_01_02 0
endif
# general case of spample observation