Re: Resume / Doc Spam

2015-09-18 Thread Anthony Kamau 

On 09/09/15 07:26, John Schmerold wrote:



I haven't had the courage to open in word, if I open in 7zip, I see 
following files:

 Directory of C:\


No courage needed.  Simply install Sanboxie [0] (preferably in a VM) and 
you can safely open any application inside the sandbox and see what it 
invokes.


Cheers,
AK.

[0] - http://www.sandboxie.com/index.php?HowItWorks

Re: Resume / Doc Spam

2015-09-18 Thread Dianne Skoll 
On Fri, 18 Sep 2015 21:51:59 +1000
Anthony Kamau  wrote:

> No courage needed.  Simply install Sanboxie [0] (preferably in a VM)
> and you can safely open any application inside the sandbox and see
> what it invokes.

Or use LibreOffice which has macros turned off by default, but lets
you examine existing macros in the macro organizer.

Regards,

Dianne.

Re: Resume / Doc Spam

2015-09-17 Thread John Schmerold 

Thanks for the input, We reduced the reject score and added a few rules.

John Schmerold
Katy Computer Systems, Inc
https://katy.com
St Louis

On 9/8/2015 4:26 PM, John Schmerold wrote:
We have been seeing a number of spams getting through our ClamAV / 
Spamassassin filter. What is the best way to share with the community 
so that we can develop a defense against these messages?


The message reads:
Hi my name is Victoria Alexandra attached is my resume!Please message 
me back


Best regards

Victoria Alexandra

The attachment is named "Victoria_Alexandra_resume.doc", message 
source shows the document to be encoded as:

Content-Type: application/msword;
 name="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="


I haven't had the courage to open in word, if I open in 7zip, I see 
following files:

 Directory of C:\

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
09/08/2015  04:24 PM 0 1.txt
09/08/2015  04:24 PM  docProps
09/08/2015  04:24 PM  word
01/01/1980  12:00 AM 1,696 [Content_Types].xml
09/08/2015  04:24 PM  _rels
   2 File(s)  1,696 bytes

 Directory of c:\docProps

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   989 app.xml
01/01/1980  12:00 AM   737 core.xml
   2 File(s)  1,726 bytes

 Directory of c:\word

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,186 fontTable.xml
01/01/1980  12:00 AM 4,356 numbering.xml
01/01/1980  12:00 AM 8,227 settings.xml
01/01/1980  12:00 AM17,478 styles.xml
01/01/1980  12:00 AM15,713 stylesWithEffects.xml
09/08/2015  04:24 PM  theme
01/01/1980  12:00 AM 1,620 vbaData.xml
01/01/1980  12:00 AM33,280 vbaProject.bin
01/01/1980  12:00 AM   831 webSettings.xml
09/08/2015  04:24 PM  _rels
   8 File(s) 82,691 bytes

 Directory of c:\word\theme

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 6,992 theme1.xml
   1 File(s)  6,992 bytes

 Directory of c:\word\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,208 document.xml.rels
01/01/1980  12:00 AM   277 vbaProject.bin.rels
   2 File(s)  1,485 bytes

 Directory of c:\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   590 .rels
   1 File(s)590 bytes

 Total Files Listed:
  16 File(s) 95,180 bytes

Re: Resume / Doc Spam

2015-09-09 Thread Benny Pedersen 

John Schmerold skrev den 2015-09-08 23:26:


01/01/1980  12:00 AM33,280 vbaProject.bin


i would run "strings vbaProject.bin" and make clamav signature based on 
it


if you then are happy with amavisd-new this clamav signatures can be 
mapped from virus to spam score in amavisd


but possible it would need to be more clever in clamav logical sigs :=)

for spamassassin check spf dkim dmarc, if its pass on it, then score 
sender possitive


with possible meta on body content "you need to read resume or 
attachment"


i just bet that we dont see any resume now

Re: Resume / Doc Spam

2015-09-09 Thread Benny Pedersen 

John Schmerold skrev den 2015-09-08 23:27:


 Content analysis details:   (6.1 points, 10.0 required)


why not 5.0 required ?


  pts rule name  description
  -- 
--


 -0.7 RCVD_IN_DNSWL_LOW  RBL: Sender listed at 
http://www.dnswl.org/, low

 trust
 [98.138.229.147 listed in list.dnswl.org]


 [98.138.229.147 listed in 
wl.mailspike.net]


possible report spam to both if possible

Re: Resume / Doc Spam

2015-09-09 Thread Bill Cole 

On 8 Sep 2015, at 17:38, Kevin A. McGrail wrote:

Overall, the default SA is designed for a 5.0 threshold.  You have 
raised it to 10.0.  That's largely the source of the issue.


+1

5.0 is a very safe threshold, and I've found that once the Bayes and AWL 
DBs are reasonably trained, 4.5 or even 4.0 will catch more spam without 
measurably increasing false positives for business email streams. For 
more ISP-like streams maybe 5.5 or 6.0 would make sense, but I haven't 
seen a >9 false positive from SA in many millions (billions? maybe...) 
of messages over many years of use. At 10.0 SA will miss most spam, 
unless you expose it to sorts of spam that can be blocked by much 
lower-cost and safer means (e.g. SMTP greeting pause, low-FP DNSBLs, 
etc.)

Re: Resume / Doc Spam

2015-09-09 Thread Dianne Skoll 
On Wed, 09 Sep 2015 09:23:44 +0200
Benny Pedersen  wrote:

> i would run "strings vbaProject.bin" and make clamav signature based
> on it

ClamAV is totally useless.

Here's a trick: Macro viruses must define a subroutine called "Document_Open"
So finding the string "Document_Open" case-insensitively in an MS
Office file is a red flag.  If you don't find it directly, use
unzip -p (the so called "pipe mode") to look for that same string
case-insensitively in the more modern MS Office files, which are really
just zip files in disguise.

There will be some false-positives because some legitimate MS Office files
(b) auto-execute macros on document open, but IMO the danger posed
by macro viruses makes the tradeoff worth it.

Regards,

Dianne.

Re: Resume / Doc Spam

2015-09-09 Thread Dianne Skoll 
On Wed, 9 Sep 2015 16:51:11 +0200
Matus UHLAR - fantomas  wrote:

> On 09.09.15 10:44, Dianne Skoll wrote:
> >ClamAV is totally useless.

> Do you mean generally, or in this case?

Generally, at least if you use the official signatures.  And the unofficial
ones have unacceptably high FP rates.

> >There will be some false-positives because some legitimate MS Office
> >files (b) auto-execute macros on document open, but IMO the
> >danger posed by macro viruses makes the tradeoff worth it.

> i believe some people will argument against this ;-)

I'm sure some will.  It's a tradeoff and everyone has a different opinion.

We've implemented this in our hosted scanning service and so far
haven't had any complaints (though to be sure, we quarantine rather
than outright reject messages that hit this rule.)

These are the subjects we've seen that have hit the rule so far
today; counts are on the left:

  1 
  1 Fv: fattura sospesa 8587917 del 12-07-2015
  1 Invio fattura convalida 2492412 del 25-03-2015
  1 RE: fattura sospesa 0585247 del 18-03-2015
  1 RE: fattura sospesa 2684935 del 04-03-2015
  1 RE: fattura sospesa 6857874 del 22-06-2015
  1 Re: fattura emessa 8939951 del 25-01-2015
  1 Re: fattura sospesa 3445841 del 09-02-2015
  1 
  1 Solicitud de Oferta SM No 123/2015 Proyecto 5070
229 Resume
255 RE:resume

Looks to me like one probable and one possible false positive out of
498; IMO that's a good tradeoff for quarantining.

Regards,

Dianne.

Re: Resume / Doc Spam

2015-09-09 Thread Benny Pedersen 

Dianne Skoll skrev den 2015-09-09 16:44:


ClamAV is totally useless.


why ?

Here's a trick: Macro viruses must define a subroutine called 
"Document_Open"


thanks for that note i will keep in mind


So finding the string "Document_Open" case-insensitively in an MS
Office file is a red flag.


with can be used to reject in clamav milter no ?


If you don't find it directly, use
unzip -p (the so called "pipe mode") to look for that same string
case-insensitively in the more modern MS Office files, which are really
just zip files in disguise.


and i belived i was the only one that creates clamav signatures :=)

There will be some false-positives because some legitimate MS Office 
files
(b) auto-execute macros on document open, but IMO the danger 
posed

by macro viruses makes the tradeoff worth it.


pdf files with javascript are much better :=)

Re: Resume / Doc Spam

2015-09-09 Thread Matus UHLAR - fantomas 

On Wed, 09 Sep 2015 09:23:44 +0200 Benny Pedersen  wrote:

i would run "strings vbaProject.bin" and make clamav signature based
on it


On 09.09.15 10:44, Dianne Skoll wrote:

ClamAV is totally useless.


Do you mean generally, or in this case?


Here's a trick: Macro viruses must define a subroutine called "Document_Open"
So finding the string "Document_Open" case-insensitively in an MS
Office file is a red flag.  If you don't find it directly, use
unzip -p (the so called "pipe mode") to look for that same string
case-insensitively in the more modern MS Office files, which are really
just zip files in disguise.

There will be some false-positives because some legitimate MS Office files
(b) auto-execute macros on document open, but IMO the danger posed
by macro viruses makes the tradeoff worth it.


i believe some people will argument against this ;-)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Resume / Doc Spam

2015-09-08 Thread John Schmerold 
We have been seeing a number of spams getting through our ClamAV / 
Spamassassin filter. What is the best way to share with the community so 
that we can develop a defense against these messages?


The message reads:
Hi my name is Victoria Alexandra attached is my resume!Please message me 
back


Best regards

Victoria Alexandra

The attachment is named "Victoria_Alexandra_resume.doc", message source 
shows the document to be encoded as:

Content-Type: application/msword;
 name="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="


I haven't had the courage to open in word, if I open in 7zip, I see 
following files:

 Directory of C:\

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
09/08/2015  04:24 PM 0 1.txt
09/08/2015  04:24 PM  docProps
09/08/2015  04:24 PM  word
01/01/1980  12:00 AM 1,696 [Content_Types].xml
09/08/2015  04:24 PM  _rels
   2 File(s)  1,696 bytes

 Directory of c:\docProps

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   989 app.xml
01/01/1980  12:00 AM   737 core.xml
   2 File(s)  1,726 bytes

 Directory of c:\word

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,186 fontTable.xml
01/01/1980  12:00 AM 4,356 numbering.xml
01/01/1980  12:00 AM 8,227 settings.xml
01/01/1980  12:00 AM17,478 styles.xml
01/01/1980  12:00 AM15,713 stylesWithEffects.xml
09/08/2015  04:24 PM  theme
01/01/1980  12:00 AM 1,620 vbaData.xml
01/01/1980  12:00 AM33,280 vbaProject.bin
01/01/1980  12:00 AM   831 webSettings.xml
09/08/2015  04:24 PM  _rels
   8 File(s) 82,691 bytes

 Directory of c:\word\theme

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 6,992 theme1.xml
   1 File(s)  6,992 bytes

 Directory of c:\word\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,208 document.xml.rels
01/01/1980  12:00 AM   277 vbaProject.bin.rels
   2 File(s)  1,485 bytes

 Directory of c:\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   590 .rels
   1 File(s)590 bytes

 Total Files Listed:
  16 File(s) 95,180 bytes

Re: Resume / Doc Spam

2015-09-08 Thread John Schmerold 

I guess I should share rest of the message source:

Return-path: 
Envelope-to: j...@katy.com
Delivery-date: Tue, 08 Sep 2015 10:49:40 -0500
X-Spam-Status: No
X-FastNet1-MailScanner-From: dglzydwfyofe...@yahoo.com
X-FastNet1-MailScanner-SpamCheck:
X-FastNet1-MailScanner: Found to be clean
X-FastNet1-MailScanner-ID: 1ZZL9P-000EIX-P3
X-FastNet1-MailScanner-Information: Contact Fastnet1 636-594-6700 for 
more information

Received: from [71.86.3.250] (port=33881 helo=mx6.fastnet1.com)
by cp1.fastnet1.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.85)
(envelope-from )
id 1ZZL9P-000EIX-P3
for j...@katy.com; Tue, 08 Sep 2015 10:49:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
d=yahoo.com; s=katycomputersystems;
	h=Content-Type:MIME-Version:Subject:Message-ID:Date:From; 
bh=9oq8H47zm3p2mpTltBDFqcwqhJzV36GGWApAEoBUPPo=;


b=TMls9kUGYOid2OLTD/Ya9LZOUswRy8XBCR60Quf4zOQJ546K+7iylzq/0iEL2wqYggFcNRrWUAjgP3BVorZ/+vu1giQ+g5WPVl7FuuFHGq80tdMrKHzj3QHIXKFYia0hdggHx6eFpqkXQxo2Ft/V4AJnUv4nx0fbbVQgACAVokU=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; 
s=s2048; t=1441727373; bh=9oq8H47zm3p2mpTltBDFqcwqhJzV36GGWApAEoBUPPo=; 
h=From:Date:Subject:From:Subject; 
b=YvlBfKrzCsRd/j6fgA2W5kuj3SzF40LJztQ/iR92fPsTm2KWTfAqc/dPEty6EyahXcxRSq9zYI9mSDeqimDwcY3sbmIfhFBcMZ4T4ETQyZkBudSAKYwJQdnMdX5u8DFoXa17GH/a0dpM7th36bX1zBTg1Y5Ljmi6JUEBSCHsUJe0M8blRBHB78nBapYLVoTGE34CEnDFeeMn45CluEYIR1NS/6bUVqKz3paUloN6qAfvCiGR625ekiP1I/3Whhn0eHdQyCSQ0l8dYZltpLpGELfV4TTCIujykZGofZZG0W+wpQzUEgkl452BQV3iP/Jd/RvG2YBt+bbJxL+hPQX9LA==

X-Yahoo-Newman-Id: 746112.47404...@smtp107.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-4
X-YMail-OSG: aMfQUJgVM1llTjZU5czbNlgLtSzFZaCdLdlIpYvaQEg29M4
 nQd8P4UYNkJoHG31KK7yZPdOx69uNBVWpL3ndstIuyAbloGtLmCbhTDRMVUh
 ksOudGoWprQbn2OLPRVgeGf0nt39D8mYLw1HyHCitSgB2ByYivZEJuUKDaAN
 lrWobJT.3jRMaCFqTRFOi9DiP2diBSeZjQCCKTO2tWKqXrpeb0.FBYhICUbk
 xPdYg58Ifs2XIiKOysMZ96WZwMX_wew.K4mAOUVgi_dR1bu3MQ076QMMuEqk
 nBFHw1PhAuLctAnzwbgOE9lqVBNDoXbe5uzU_BujRoGcmldRboMQ0rTee_ck
 EnkITUuavx_hupv6A69W3G5PyHmnz5Q7Lg__d5ekzWTb3NNisZT19How2uQ6
 1KwcHoBigIsF1P0HoD9V4qeWxkpJTrqe69O0Cff44rKD21YtYwIcaSEi5szW
 M.co4fPTPXKsbzTYZznDHYJMnjVh342YqJ.kSvGvbyVRi1BX3yUJjzTrxGb9
 vmtNd53MB_Q1c5TVV3aX4QU9FqJk-
X-Yahoo-SMTP: kFTdf1CswBDhF4G2OgpU3ap3zVf.qDOwDpAFWg--
From: dglzydwfyofe...@yahoo.com
Date: Tue, 08 September 2015 19:37:58 -0400
X-Mailer: The Bat! (v3.99.29) Professional
X-Priority: 3 (Normal)
Message-ID: <495179285.20150908193...@yahoo.com>
Subject: =?utf-8?Q?Resume?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="--4189436351612E93331901B"
X-Spam-Score: 6.1
X-Spam-Report: Spam detection software, running on the system 
"mx6.fastnet1.com",

 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.

 Content preview:  Hi my name is Victoria Alexandra attached is my 
resume!Please

message me back Best regards Victoria Alexandra [...]

 Content analysis details:   (6.1 points, 10.0 required)

  pts rule name  description
  -- 
--

  1.1 INVALID_DATE   Invalid Date: header (not RFC 2822)
 -0.0 LOCAL__H_from_yahooNo description available.
  1.9 KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
 -0.1 LOCAL__H_all_yahoo No description available.
 -0.7 RCVD_IN_DNSWL_LOW  RBL: Sender listed at 
http://www.dnswl.org/, low

 trust
 [98.138.229.147 listed in list.dnswl.org]
  0.0 FREEMAIL_FROM  Sender email is commonly abused enduser 
mail provider

 (dglzydwfyofelia[at]yahoo.com)
 -0.0 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3)
 [98.138.229.147 listed in wl.mailspike.net]
 -0.0 T_RP_MATCHES_RCVD  Envelope sender domain matches handover relay
 domain
 -0.5 SPF_PASS   SPF: sender matches SPF record
  1.0 MISSING_HEADERSMissing To: header
 -0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from author's

 domain
  3.5 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature
  0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid

  0.0 FSL_BULK_SIG   Bulk signature with no Unsubscribe
  0.0 T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail

4189436351612E93331901B
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Hi my name is Victoria Alexandra attached is my resume!Please message me 
back

Re: Resume / Doc Spam

2015-09-08 Thread Kevin A. McGrail 
Overall, the default SA is designed for a 5.0 threshold.  You have 
raised it to 10.0.  That's largely the source of the issue.


On 9/8/2015 5:26 PM, John Schmerold wrote:
We have been seeing a number of spams getting through our ClamAV / 
Spamassassin filter. What is the best way to share with the community 
so that we can develop a defense against these messages?


The message reads:
Hi my name is Victoria Alexandra attached is my resume!Please message 
me back


Best regards

Victoria Alexandra

The attachment is named "Victoria_Alexandra_resume.doc", message 
source shows the document to be encoded as:

Content-Type: application/msword;
 name="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="=?utf-8?B?VmljdG9yaWFfQWxleGFuZHJhX3Jlc3VtZS5kb2M=?="


I haven't had the courage to open in word, if I open in 7zip, I see 
following files:

 Directory of C:\

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
09/08/2015  04:24 PM 0 1.txt
09/08/2015  04:24 PM  docProps
09/08/2015  04:24 PM  word
01/01/1980  12:00 AM 1,696 [Content_Types].xml
09/08/2015  04:24 PM  _rels
   2 File(s)  1,696 bytes

 Directory of c:\docProps

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   989 app.xml
01/01/1980  12:00 AM   737 core.xml
   2 File(s)  1,726 bytes

 Directory of c:\word

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,186 fontTable.xml
01/01/1980  12:00 AM 4,356 numbering.xml
01/01/1980  12:00 AM 8,227 settings.xml
01/01/1980  12:00 AM17,478 styles.xml
01/01/1980  12:00 AM15,713 stylesWithEffects.xml
09/08/2015  04:24 PM  theme
01/01/1980  12:00 AM 1,620 vbaData.xml
01/01/1980  12:00 AM33,280 vbaProject.bin
01/01/1980  12:00 AM   831 webSettings.xml
09/08/2015  04:24 PM  _rels
   8 File(s) 82,691 bytes

 Directory of c:\word\theme

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 6,992 theme1.xml
   1 File(s)  6,992 bytes

 Directory of c:\word\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM 1,208 document.xml.rels
01/01/1980  12:00 AM   277 vbaProject.bin.rels
   2 File(s)  1,485 bytes

 Directory of c:\_rels

09/08/2015  04:24 PM  .
09/08/2015  04:24 PM  ..
01/01/1980  12:00 AM   590 .rels
   1 File(s)590 bytes

 Total Files Listed:
  16 File(s) 95,180 bytes



--
*Kevin A. McGrail*
CEO

Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com