I’m a novice at signature writing, but those e-mails don’t seem to have sufficient unique content to warrant a signature based on the text. They look like simple Spam to me. Since you removed the actual malware, I have no clue what they are and how critical of a threat they might be.
As Joel said, what you need to post here is the hash for the file before you zipped it. -Al- On Fri, Dec 25, 2015 at 12:12 AM, Walter H. wrote: > > Just submitted two new samples, as I received them today; > > SHA1(28.zip)= d0f18efb2d92c0528fab3736b134d5ad13d23be3 > SHA1(29.zip)= b399b5c9e6e4567740825ac85754191a7648dfaa > > On 25.12.2015 02:05, Al Varnell wrote: >> Surely you cannot mean that all of those represent critical threats that >> require immediate attention from the already overworked ClamAV signature >> team? > what do you really think are these? > > just as an expanded sample the complete E-mail, where I removed the malware > content; > I get these regularily, and for this another way of submission -> just an > E-mail-Address, where to forward these ... > > -----[ 28.eml ]----- > > Return-Path: <[email protected]> > Received: from storage.mail ([unix socket]) > by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA; > Fri, 25 Dec 2015 03:01:35 +0100 > X-Sieve: CMU Sieve 2.3 > Received: from filter.mail by storage.mail (Postfix) with ESMTP id CE10B62834 > Received: by filter.mail (Postfix) id C38334905 > X-From-noReply-Box: yes > Delivered-To: [email protected] > Received: by filter.mail (Postfix, userid 500) id BE1B84913 > X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail > X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO > autolearn=no version=3.3.1 > Received: from filter.mail by filter.mail (Postfix) with ESMTP id 6774F4905 > Envelope-to: [email protected] > Delivery-date: Fri, 25 Dec 2015 02:03:37 +0100 > Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17) > Received: from [81.19.149.129] (helo=mx19lb.world4you.com) > by mail12.world4you.com with esmtp (Exim 4.76) > (envelope-from <[email protected]>) > id 1aCGnA-0001D7-Uf > for [email protected]; Fri, 25 Dec 2015 02:03:36 +0100 > Received: from [188.132.250.211] (helo=ns1.adanabook.com) > by mx19lb.world4you.com with esmtps (TLSv1:AES256-SHA:256) > (Exim 4.77) > (envelope-from <[email protected]>) > id 1aCGnA-0003qG-Hu > for [email protected]; Fri, 25 Dec 2015 02:03:36 +0100 > Received: by ns1.adanabook.com (Postfix, from userid 10006) > id 1B3ED10EE07; Fri, 25 Dec 2015 04:08:11 +0200 (EET) > To: [email protected] > X-PHP-Originating-Script: 10006:post.php(5) : regexp code(1) : eval()'d > code(17) : eval()'d code > Date: Fri, 25 Dec 2015 04:08:11 +0200 > From: "Interfax Online" <[email protected]> > Reply-To: "Interfax Online" <[email protected]> > Message-ID: <[email protected]> > X-Priority: 3 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="b1_9d092492ac2cddaeaa628f93cbfb66a1" > Content-Transfer-Encoding: 8bit > X-SA-Exim-Connect-IP: 188.132.250.211 > X-SA-Exim-Mail-From: [email protected] > Subject: [SPAM] You have received a new fax, document 0000471075 > X-Spam-Prev-Subject: You have received a new fax, document 0000471075 > X-SA-Exim-Version: 4.2.1 (built Sat, 28 Apr 2007 14:02:57 +0200) > X-SA-Exim-Scanned: Yes (on mx19lb.world4you.com) > > --b1_9d092492ac2cddaeaa628f93cbfb66a1 > Content-Type: text/plain; charset=us-ascii > > A new fax document for you. > > > > Please, download fax document attached to this email. > > > > Filesize: 150 Kb > > File name: scan-0000471075.doc > > Scanned in: 9 seconds > > Scanned at: Thu, 24 Dec 2015 17:05:33 +0300 > > From: Gerald Calhoun > > Number of pages: 5 > > Quality: 300 DPI > > > > Thank you for using Interfax! > > > --b1_9d092492ac2cddaeaa628f93cbfb66a1 > Content-Type: application/zip; name="scan-0000471075.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename=scan-0000471075.zip > > #content#removed# > > --b1_9d092492ac2cddaeaa628f93cbfb66a1-- > > > -----[ 29.eml ]----- > > Return-Path: <[email protected]> > Received: from storage.mail ([unix socket]) > by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.el6_6) with LMTPA; > Fri, 25 Dec 2015 08:50:07 +0100 > X-Sieve: CMU Sieve 2.3 > Received: from filter.mail by storage.mail (Postfix) with ESMTP id 4E24D635DA > Received: by filter.mail (Postfix) id 3799C491C > X-From-noReply-Box: yes > Delivered-To: [email protected] > Received: by filter.mail (Postfix, userid 500) id 2E66A4948 > X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail > X-Spam-Status: No, score=2.1 required=4.0 tests=HELO_LH_HOME,XPRIO > autolearn=no version=3.3.1 > Received: from filter.mail by filter.mail (Postfix) with ESMTP id 045E84905 > Envelope-to: [email protected] > Delivery-date: Fri, 25 Dec 2015 07:21:09 +0100 > Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17) > Received: from [81.19.149.133] (helo=mx23lb.world4you.com) > by mail12.world4you.com with esmtp (Exim 4.76) > (envelope-from <[email protected]>) > id 1aCLkT-0002YU-M4 > for [email protected]; Fri, 25 Dec 2015 07:21:09 +0100 > Received: from [209.239.57.35] (helo=host3.webhostingservers.net) > by mx23lb.world4you.com with esmtp (Exim 4.77) > (envelope-from <[email protected]>) > id 1aCLkS-0000UT-Sq > for [email protected]; Fri, 25 Dec 2015 07:21:09 +0100 > Received: (from www@localhost) > by host3.webhostingservers.net (8.14.3/8.12.10) id tBP5RTEW028021; > Fri, 25 Dec 2015 00:27:29 -0500 > To: [email protected] > Date: Fri, 25 Dec 2015 00:27:29 -0500 > From: "Interfax Online" <[email protected]> > Reply-To: "Interfax Online" <[email protected]> > Message-ID: <[email protected]> > X-Priority: 3 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="b1_65c1451b368193580c19c5cf984dd73f" > Content-Transfer-Encoding: 8bit > X-SA-Exim-Connect-IP: 209.239.57.35 > X-SA-Exim-Mail-From: [email protected] > Subject: [SPAM] You have received a new fax, document 00845094 > X-Spam-Prev-Subject: You have received a new fax, document 00845094 > X-SA-Exim-Version: 4.2.1 (built Sat, 22 Jan 2011 20:12:41 -0500) > X-SA-Exim-Scanned: Yes (on mx23lb.world4you.com) > > > --b1_65c1451b368193580c19c5cf984dd73f > Content-Type: text/plain; charset=us-ascii > > You have received a new fax. > > Please check your fax document in the attachment to this e-mail. > > File name: scan-00845094.doc > Sender: Manuel Hooper > File size: 102 Kb > Resolution: 400 DPI > Scan date: Thu, 24 Dec 2015 10:20:07 +0300 > Pages scanned: 6 > Scan duration: 21 seconds > > Thanks for using Interfax service! > > > --b1_65c1451b368193580c19c5cf984dd73f > Content-Type: application/zip; name="scan-00845094.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename=scan-00845094.zip > > #content#removed# -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
