On 10/20/17 8:04 PM, Al Varnell wrote: > Are you certain that it is actually from CERT from the header information or > is that just the "From: " address which can easily be faked? You can > determine a lot from submitting the e-mail raw source to > <https://www.spamcop.net>.
Yes, I would say this is legitimate. I looked the IP and header info over and compared to previous mailings and the info is the same mail server. Received: from mailer190175.service.govdelivery.com (208.42.190.175) by host.atmyhome with SMTP; 20 Oct 2017 19:10:22 -0800 Received-SPF: pass (host.atmyhome: SPF record at spf.sp.service.govdelivery.com designates 208.42.190.175 as permitted sender) X-VirtualServer: B190C4, mailer190175.service.govdelivery.com, 172.25.0.175 X-VirtualServerGroup: B190C4 X-MailingID: 17159604::20171021.79734561::1001::MDB-PRD-BUL-20171021.79734561::[email protected]::52402_0 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: [email protected] X-SMFBL: a3Jpc3RlbkBhdG15aG9tZS5vcmc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=ncas.us-cert.gov; s=15q3; [email protected]; h=Content-Transfer-Encoding: Content-Type:x-subscriber:X-Accountcode:Errors-To:Reply-To: MIME-Version:Message-ID:X-ReportingKey:Subject:Date:To:From; bh=5iBXVVsNmQWv/yeUKz2ksz1ew2E=; b=Ph28B61orDBhRTTyNY08Xa/SfZmWu VeWrac8XOaSPWdiXHfzPzInuwnLyHCvqn446d1vfMQ+l6PgUdOVRtWtoGCVlFN93 j836cd9GLgpMq1DTgo1BowhTKN6N1oDWaORcyTNQubM2l3A6iFyhMLjaEfv/3M/x iGw6szqEyl5Eh/zfWpHCbQPz8IIDSc7LViHIOz62IUfslOnYSfA400enfrL9yqt6 jiPwWKEjHsfvJbXi8QJ32sA/IyqcGVoSMgDijJTpSp1T1o+NL0HrpdLAWxxJAjkZ jfctIgx26uFyhctA2PxldPmMiKOfMdZK8AN/LAaiC2qhzhyK5E1LAw15Q== Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary="----=_NextPart_521_08BE_7C699BB4.5E61392A" x-subscriber: 3.zvMgBIhjnwhEq7try0XvRHesb+KKQe5nt+vMrUeTBZy+pLuDPksXiQ7tpNeg9PJ70+TYjl958KrlvIMOI6korS2WSGwCPYPv3yyLGXX+vJue+Ug+Kk6Jm1Up3iaAXvglygDU3L6a1UjDFbxa00Q+KA== X-Accountcode: USDHSUSCERT Errors-To: [email protected] Reply-To: [email protected] MIME-Version: 1.0 Message-ID: <[email protected]> X-ReportingKey: LJJJ2EWJK2HE4WJJ7C3JJJ::[email protected]::[email protected] Subject: =?US-ASCII?Q?TA17-293A:_Advanced_Persistent_Threat_Activity_Targe?= =?US-ASCII?Q?ting_Energy_and_Other_Critical_Infrastructure_Sectors?= Date: Fri, 20 Oct 2017 22:06:45 -0500 To: [email protected] From: "=?US-ASCII?Q?US-CERT?=" <[email protected]> > > Signature details: > sigtool -fPUA.Win.Trojan.Xored-1|sigtool --decode-sigs > VIRUS NAME: PUA.Win.Trojan.Xored-1 > TARGET TYPE: HTML > OFFSET: * > DECODED SIGNATURE: > charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^ > > I can't seem to find when the signature was added, but a Google search shows > it being discussed as far back as April 2016. > > If, after examination, you still feel it's a False Positive, submit it (or > the attachment) to <http://www.clamav.net/reports/fp> and return here with a > hash value of whatever you submitted. > > PUA indicates "Potentially Unwanted Application" which indicates non-malware > and makes it more difficult to identify as a False Positive. Win makes it > Windows Only. > > -Al- > Thanks Al. I went ahead and injected this quarantined message for delivery as it is a big HTML email that can be difficult to read from a BASH shell. It appears they are showing samples of code from some Windows exploit, or something. I didn't review it that long. I bet the samples they put in this email triggered clamd. I will consider this discussion closed unless the list wishes to add to the discussion. Kristen > On Fri, Oct 20, 2017 at 08:30 PM, kristen R wrote: >> List, >> >> I just received an email from ncas.us-cert.gov that was caught by clamd >> reporting PUA.Win.Trojan.Xored-1 signature. This email is from the US >> Department of Homeland Security. >> >> I suppose this is a case of a false positive. How does one find the >> string triggering this event that I might know and report this as a >> false positive? >> >> Kristen
signature.asc
Description: OpenPGP digital signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
