date:20161019

Re: [Assp-test] Senderbase Top Senders by IP useful info to ASSP?

2016-10-19 Thread Thomas Eckardt

Ironport is close to zen.spamhaus.org .
use dnsbl to score on reputation
use senderbase to detect orgs and countries by IP

Notice: senderbase is not free for everyone - it can be used as long as 
CISCO allows it. The fallback for senderbase in assp is WHOIS-IP - and 
this one has no reputation information!

Thomas




Von:K Post 
An: ASSP development mailing list 
Datum:  18.10.2016 16:05
Betreff:[Assp-test] Senderbase Top Senders by IP useful info to 
ASSP?



Any value in using Senderbase's top senders by IP (assuming there's an API
or other method to access this info)?

http://www.senderbase.org/static/email/#tab=1

I've been thinking about looking at the top 100 senders for the day, only
considering the POOR reputation ones and having ASSP score that.

Senderbase in general is a great resource, but when you have shared
providers like Amazon AWS, who anyone can send from, it would be nice to
have Senderbase's opinion of the IP itself.  We could score the   Sure, we
already have DNSBL, but this would be another score to consider.

Or maybe I'm really just getting at using a senderbase poor reputation as 
a
scoring factor for ASSP vs only looking at the top senders:
http://www.senderbase.org/lookup/ip/?search_string=52.38.45.34
shows this specific IP as poor, really poor considering the increase in
volume, but AFAIK ASSP won't use that info unless that IP or AmazonAWS is
in BlackSenderbase right??

All of this of course is a moot point if ASSP can't access this info via a
DNS query or some other method.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] custom extenson to ASSP_AFC

2016-10-19 Thread Thomas Eckardt

Plugins/file_types.txt got an update on CVS - RTF file detection is added

ASSP _AFC.pm 4.39 is released on CVS

lib/CorrectASSPcfg.pm got an update on CVS

.
# use this sub to expand the executable detection of the ASSP_AFC Plugin V 
4.39 and higher
#
# INPUT:
# $self - the ASSP_AFC OO object for the mail
# $skip - the possible setting to skip some executable detections 
(:WIN,:MSOM,MAC)
# $buff64 - the reference to a sring, that contains the first 64 byte of 
the attachment
# $full - the reference to a string, that contains the full attachment
#
# OUTPUT:
# $type - contains an executable description if detected, otherwise it 
must be undef
#
#sub AFC_Executable_Detection {
#my ($self, $skip, $buf64 , $full) = @_;
#my $type;
#...
#do your stuff here, and set $type to a value, if an executable is 
detected - otherwise leave $type at undef
#for example:
#$type = 'RTF file' if $skip !~ /:RTF/ && $$buf64 =~ /^\{\\rtf1\\/i;
#...
#return $type;
#}
.. 

ASSP _AFC.pm 4.39 calls this sub, if it is available (defined). If a type 
is returned in $type by this sub, the configured action (block the mail or 
replace the MIME part) will be used.
This function can be abused,to detect any dangerous file by its content - 
even it is not a direct executable.

for example:

$type = 'MS Office enrypted or password protected document' if ($skip !~ 
/:ENCDOC/ && $$buf64 =~ /^\xd0\xcf\x11\xe0/ && $$full =~ 
/\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00P\x00a\x00c\x00k\x00a\x00g\x00e|\x00C\x00r\x00y\x00p\x00t\x00o\x00g\x00r\x00a\x00p\x00h\x00i\x00c/);

The regex to $$buf64 detects a MS-Office document - the later searchs for 
UTF16 encoded (EncryptedPackage|Cryptographic) in the complete document

EncryptedPackage - is used in MSO 2007 and newer versions
Cryptographic - is used in older versions of MS-Office

OpenOffice may use different tags!

Thomas


DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Thomas Eckardt

Hmm - OK - and where is the problem?

- has AFC not detected doc(xm)?
- has AFC not detected MS macros?

Thomas




Von:Grayhat 
An: assp-test@lists.sourceforge.net
Datum:  19.10.2016 14:46
Betreff:Re: [Assp-test] Password Protected "RTF" Files Slipping 
Through



:: On Wed, 19 Oct 2016 13:31:55 +0200
::

 
::
Thomas Eckardt  wrote:

> 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> 2013) - password is removed

I suspect it isn't a real RTF file but a passworded zip with a modified
extension; basically whoever builds such kind of trash creates a
script, adds it to a passworded "zip" and renames it to "rtf"



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat

:: On Wed, 19 Oct 2016 13:31:55 +0200
::

 ::
Thomas Eckardt  wrote:

> 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> 2013) - password is removed

I suspect it isn't a real RTF file but a passworded zip with a modified
extension; basically whoever builds such kind of trash creates a
script, adds it to a passworded "zip" and renames it to "rtf"



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Robert K Coffman Jr. -Info From Data Corp.

> 4. I'm unable to password protect RTF files  (tried office 2003, XP, 2013)
> - password is removed

I suspect the .RTF file is simply a renamed .docx.  Word opens and 
recognizes the format and doesn't acknowledge the mismatched extension.

- Bob


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Thomas Eckardt

>So the question remains, can we get AFC modified to reject
>encrypted/password protected Office documents - or RTF office files -
>altogether?  The reasoning is the same as rejecting encrypted zip files.

1. you'll need a sponsor

2. even if regular office documents are encrypted - assp/afc will detect 
macros in there
so - it is still safe to let pass encryped office documents without macros

3. I'm unable to create RTF files with macros (tried office 2003, XP, 
2013) - macros are removed

4. I'm unable to password protect RTF files  (tried office 2003, XP, 2013) 
- password is removed

3.and 4 may be possible using another software. It would be nice to have 
such RTF files.

Thomas





Von:K Post 
An: ASSP development mailing list 
Datum:  19.10.2016 02:20
Betreff:Re: [Assp-test] Password Protected "RTF" Files Slipping 
Through



Thanks Bob for this research.  We should be safe, even if a user opened it
here, but yeah, it's possible that we wouldn't be

So the question remains, can we get AFC modified to reject
encrypted/password protected Office documents - or RTF office files -
altogether?  The reasoning is the same as rejecting encrypted zip files.


On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data 
Corp.
 wrote:

> Ok, thanks to Doug and Ken for sending me a sample.
>
> This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
> and then connects to server(s) to download additional Malware, if the
> user opens it, enters the password (and has a version of Word that
> recognizes it) and then enables macros.  I'd like to think that series
> of events is unlikely, but I know better.
>
> Some IPs I saw this system connected to on my firewall.  Some of these
> may be legit and not malware relate (this is a re-imaged system and
> Office was trying to activate.)
>
> 23.35.18.164
> 8.253.32.142
> 184.51.112.8
> 184.51.112.154
> 13.107.4.50
> 184.51.112.8
> 134.170.53.30
> 23.96.212.225
> 191.237.218.239
> 23.96.212.225
>
>
> I haven't seen this thing hitting my mail server yet.
>
>
> - Bob
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat

:: On Wed, 19 Oct 2016 09:14:44 +0200
:: <20161019091444.5...@gmx.net>
:: Grayhat  wrote:

> Ok for the sigs being up-to-date; but my point was about the "extra"
> signatures offered by SaneSecurity, not the regular ones; I found that
> the regular signatures are often "behind" while the ones offered by
> SaneSecurity are faster to catch-up, so my suggestion was to add those
> signatures to your ClamAV scanner to help improve its efficiency; I've
> been using a number of signatures from SaneSecurity along with the
> regular clamav signatures and I found them to be quite effective at
> blocking "junk" (spam, malware and so on) that's why I'm suggesting to
> give them a spin

just in case, here's the list of additional signatures I'm using;
notice that it's important to always include the first two since they
allow to quickly fix false-positives issues (if any, by the way) and to
improve the scanner performances

rsync://rsync.sanesecurity.net/sanesecurity/sanesecurity.ftm
rsync://rsync.sanesecurity.net/sanesecurity/sigwhitelist.ign2
rsync://rsync.sanesecurity.net/sanesecurity/junk.ndb
rsync://rsync.sanesecurity.net/sanesecurity/jurlbla.ndb
rsync://rsync.sanesecurity.net/sanesecurity/lott.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phish.ndb
rsync://rsync.sanesecurity.net/sanesecurity/rogue.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scam.ndb
rsync://rsync.sanesecurity.net/sanesecurity/spam.ldb
rsync://rsync.sanesecurity.net/sanesecurity/spamimg.hdb
rsync://rsync.sanesecurity.net/sanesecurity/spamattach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/blurl.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_cracked_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_phishing_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_attach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scamnailer.ndb
rsync://rsync.sanesecurity.net/sanesecurity/crdfam.clamav.hdb
rsync://rsync.sanesecurity.net/sanesecurity/porcupine.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phishtank.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware_links.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.complex.patterns.ldb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_spam_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.attachments.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_extended_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_bad_cw.hdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_generic.cdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_filename.cdb
rsync://rsync.sanesecurity.net/sanesecurity/malwarehash.cdb

HTH


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat

:: On Tue, 18 Oct 2016 11:29:44 -0400
:: 
:: K Post  wrote:

> > I suppose that, since you're talking (ok, writing) about AFC, you're
> > running ClamAV; now... are you using the extra signatures available
> > from SaneSecurity ? I'm referring to
> >
> > http://sanesecurity.com/usage/signatures/

> We are using up to date clamav sigs.  The problem is that these files
> are encrypted so they're not being detected.

Ok for the sigs being up-to-date; but my point was about the "extra"
signatures offered by SaneSecurity, not the regular ones; I found that
the regular signatures are often "behind" while the ones offered by
SaneSecurity are faster to catch-up, so my suggestion was to add those
signatures to your ClamAV scanner to help improve its efficiency; I've
been using a number of signatures from SaneSecurity along with the
regular clamav signatures and I found them to be quite effective at
blocking "junk" (spam, malware and so on) that's why I'm suggesting to
give them a spin

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ClamAV and ASSP: Scan entire message?

2016-10-19 Thread Thomas Eckardt

AFC + ClamAV scans each MIME part separately and full.

Thomas





Von:K Post 
An: ASSP development mailing list 
Datum:  19.10.2016 04:20
Betreff:[Assp-test] ClamAV and ASSP: Scan entire message?



With AFC enabled, should ClamAV be scanning the entire message ie: header 
&
body including attachments or is it just scanning attachments?

I've had files blocked with SaneSecurity sigs, but these tests:
http://sanesecurity.com/support/signature-testing/ ALL slip through.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Top Senders by IP useful info to ASSP?

[Assp-test] custom extenson to ASSP_AFC

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

Re: [Assp-test] ClamAV and ASSP: Scan entire message?

9 matches

Site Navigation

Mail list logo

Footer information