Re: [Assp-test] Senderbase Top Senders by IP useful info to ASSP?
Ironport is close to zen.spamhaus.org . use dnsbl to score on reputation use senderbase to detect orgs and countries by IP Notice: senderbase is not free for everyone - it can be used as long as CISCO allows it. The fallback for senderbase in assp is WHOIS-IP - and this one has no reputation information! Thomas Von:K PostAn: ASSP development mailing list Datum: 18.10.2016 16:05 Betreff:[Assp-test] Senderbase Top Senders by IP useful info to ASSP? Any value in using Senderbase's top senders by IP (assuming there's an API or other method to access this info)? http://www.senderbase.org/static/email/#tab=1 I've been thinking about looking at the top 100 senders for the day, only considering the POOR reputation ones and having ASSP score that. Senderbase in general is a great resource, but when you have shared providers like Amazon AWS, who anyone can send from, it would be nice to have Senderbase's opinion of the IP itself. We could score the Sure, we already have DNSBL, but this would be another score to consider. Or maybe I'm really just getting at using a senderbase poor reputation as a scoring factor for ASSP vs only looking at the top senders: http://www.senderbase.org/lookup/ip/?search_string=52.38.45.34 shows this specific IP as poor, really poor considering the increase in volume, but AFAIK ASSP won't use that info unless that IP or AmazonAWS is in BlackSenderbase right?? All of this of course is a moot point if ASSP can't access this info via a DNS query or some other method. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] custom extenson to ASSP_AFC
Plugins/file_types.txt got an update on CVS - RTF file detection is added ASSP _AFC.pm 4.39 is released on CVS lib/CorrectASSPcfg.pm got an update on CVS . # use this sub to expand the executable detection of the ASSP_AFC Plugin V 4.39 and higher # # INPUT: # $self - the ASSP_AFC OO object for the mail # $skip - the possible setting to skip some executable detections (:WIN,:MSOM,MAC) # $buff64 - the reference to a sring, that contains the first 64 byte of the attachment # $full - the reference to a string, that contains the full attachment # # OUTPUT: # $type - contains an executable description if detected, otherwise it must be undef # #sub AFC_Executable_Detection { #my ($self, $skip, $buf64 , $full) = @_; #my $type; #... #do your stuff here, and set $type to a value, if an executable is detected - otherwise leave $type at undef #for example: #$type = 'RTF file' if $skip !~ /:RTF/ && $$buf64 =~ /^\{\\rtf1\\/i; #... #return $type; #} .. ASSP _AFC.pm 4.39 calls this sub, if it is available (defined). If a type is returned in $type by this sub, the configured action (block the mail or replace the MIME part) will be used. This function can be abused,to detect any dangerous file by its content - even it is not a direct executable. for example: $type = 'MS Office enrypted or password protected document' if ($skip !~ /:ENCDOC/ && $$buf64 =~ /^\xd0\xcf\x11\xe0/ && $$full =~ /\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00P\x00a\x00c\x00k\x00a\x00g\x00e|\x00C\x00r\x00y\x00p\x00t\x00o\x00g\x00r\x00a\x00p\x00h\x00i\x00c/); The regex to $$buf64 detects a MS-Office document - the later searchs for UTF16 encoded (EncryptedPackage|Cryptographic) in the complete document EncryptedPackage - is used in MSO 2007 and newer versions Cryptographic - is used in older versions of MS-Office OpenOffice may use different tags! Thomas DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
Hmm - OK - and where is the problem? - has AFC not detected doc(xm)? - has AFC not detected MS macros? Thomas Von:GrayhatAn: assp-test@lists.sourceforge.net Datum: 19.10.2016 14:46 Betreff:Re: [Assp-test] Password Protected "RTF" Files Slipping Through :: On Wed, 19 Oct 2016 13:31:55 +0200 :: :: Thomas Eckardt wrote: > 4. I'm unable to password protect RTF files (tried office 2003, XP, > 2013) - password is removed I suspect it isn't a real RTF file but a passworded zip with a modified extension; basically whoever builds such kind of trash creates a script, adds it to a passworded "zip" and renames it to "rtf" -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
:: On Wed, 19 Oct 2016 13:31:55 +0200 :::: Thomas Eckardt wrote: > 4. I'm unable to password protect RTF files (tried office 2003, XP, > 2013) - password is removed I suspect it isn't a real RTF file but a passworded zip with a modified extension; basically whoever builds such kind of trash creates a script, adds it to a passworded "zip" and renames it to "rtf" -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
> 4. I'm unable to password protect RTF files (tried office 2003, XP, 2013) > - password is removed I suspect the .RTF file is simply a renamed .docx. Word opens and recognizes the format and doesn't acknowledge the mismatched extension. - Bob -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
>So the question remains, can we get AFC modified to reject >encrypted/password protected Office documents - or RTF office files - >altogether? The reasoning is the same as rejecting encrypted zip files. 1. you'll need a sponsor 2. even if regular office documents are encrypted - assp/afc will detect macros in there so - it is still safe to let pass encryped office documents without macros 3. I'm unable to create RTF files with macros (tried office 2003, XP, 2013) - macros are removed 4. I'm unable to password protect RTF files (tried office 2003, XP, 2013) - password is removed 3.and 4 may be possible using another software. It would be nice to have such RTF files. Thomas Von:K PostAn: ASSP development mailing list Datum: 19.10.2016 02:20 Betreff:Re: [Assp-test] Password Protected "RTF" Files Slipping Through Thanks Bob for this research. We should be safe, even if a user opened it here, but yeah, it's possible that we wouldn't be So the question remains, can we get AFC modified to reject encrypted/password protected Office documents - or RTF office files - altogether? The reasoning is the same as rejecting encrypted zip files. On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data Corp. wrote: > Ok, thanks to Doug and Ken for sending me a sample. > > This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS") > and then connects to server(s) to download additional Malware, if the > user opens it, enters the password (and has a version of Word that > recognizes it) and then enables macros. I'd like to think that series > of events is unlikely, but I know better. > > Some IPs I saw this system connected to on my firewall. Some of these > may be legit and not malware relate (this is a re-imaged system and > Office was trying to activate.) > > 23.35.18.164 > 8.253.32.142 > 184.51.112.8 > 184.51.112.154 > 13.107.4.50 > 184.51.112.8 > 134.170.53.30 > 23.96.212.225 > 191.237.218.239 > 23.96.212.225 > > > I haven't seen this thing hitting my mail server yet. > > > - Bob > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
:: On Wed, 19 Oct 2016 09:14:44 +0200 :: <20161019091444.5...@gmx.net> :: Grayhatwrote: > Ok for the sigs being up-to-date; but my point was about the "extra" > signatures offered by SaneSecurity, not the regular ones; I found that > the regular signatures are often "behind" while the ones offered by > SaneSecurity are faster to catch-up, so my suggestion was to add those > signatures to your ClamAV scanner to help improve its efficiency; I've > been using a number of signatures from SaneSecurity along with the > regular clamav signatures and I found them to be quite effective at > blocking "junk" (spam, malware and so on) that's why I'm suggesting to > give them a spin just in case, here's the list of additional signatures I'm using; notice that it's important to always include the first two since they allow to quickly fix false-positives issues (if any, by the way) and to improve the scanner performances rsync://rsync.sanesecurity.net/sanesecurity/sanesecurity.ftm rsync://rsync.sanesecurity.net/sanesecurity/sigwhitelist.ign2 rsync://rsync.sanesecurity.net/sanesecurity/junk.ndb rsync://rsync.sanesecurity.net/sanesecurity/jurlbla.ndb rsync://rsync.sanesecurity.net/sanesecurity/lott.ndb rsync://rsync.sanesecurity.net/sanesecurity/phish.ndb rsync://rsync.sanesecurity.net/sanesecurity/rogue.hdb rsync://rsync.sanesecurity.net/sanesecurity/scam.ndb rsync://rsync.sanesecurity.net/sanesecurity/spam.ldb rsync://rsync.sanesecurity.net/sanesecurity/spamimg.hdb rsync://rsync.sanesecurity.net/sanesecurity/spamattach.hdb rsync://rsync.sanesecurity.net/sanesecurity/blurl.ndb rsync://rsync.sanesecurity.net/sanesecurity/bofhland_cracked_URL.ndb rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_URL.ndb rsync://rsync.sanesecurity.net/sanesecurity/bofhland_phishing_URL.ndb rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_attach.hdb rsync://rsync.sanesecurity.net/sanesecurity/scamnailer.ndb rsync://rsync.sanesecurity.net/sanesecurity/crdfam.clamav.hdb rsync://rsync.sanesecurity.net/sanesecurity/porcupine.ndb rsync://rsync.sanesecurity.net/sanesecurity/phishtank.ndb rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware.hdb rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware_links.ndb rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete.ndb rsync://rsync.sanesecurity.net/sanesecurity/winnow.complex.patterns.ldb rsync://rsync.sanesecurity.net/sanesecurity/winnow_spam_complete.ndb rsync://rsync.sanesecurity.net/sanesecurity/winnow.attachments.hdb rsync://rsync.sanesecurity.net/sanesecurity/winnow_extended_malware.hdb rsync://rsync.sanesecurity.net/sanesecurity/winnow_bad_cw.hdb rsync://rsync.sanesecurity.net/sanesecurity/foxhole_generic.cdb rsync://rsync.sanesecurity.net/sanesecurity/foxhole_filename.cdb rsync://rsync.sanesecurity.net/sanesecurity/malwarehash.cdb HTH -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Password Protected "RTF" Files Slipping Through
:: On Tue, 18 Oct 2016 11:29:44 -0400 :::: K Post wrote: > > I suppose that, since you're talking (ok, writing) about AFC, you're > > running ClamAV; now... are you using the extra signatures available > > from SaneSecurity ? I'm referring to > > > > http://sanesecurity.com/usage/signatures/ > We are using up to date clamav sigs. The problem is that these files > are encrypted so they're not being detected. Ok for the sigs being up-to-date; but my point was about the "extra" signatures offered by SaneSecurity, not the regular ones; I found that the regular signatures are often "behind" while the ones offered by SaneSecurity are faster to catch-up, so my suggestion was to add those signatures to your ClamAV scanner to help improve its efficiency; I've been using a number of signatures from SaneSecurity along with the regular clamav signatures and I found them to be quite effective at blocking "junk" (spam, malware and so on) that's why I'm suggesting to give them a spin -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] ClamAV and ASSP: Scan entire message?
AFC + ClamAV scans each MIME part separately and full. Thomas Von:K PostAn: ASSP development mailing list Datum: 19.10.2016 04:20 Betreff:[Assp-test] ClamAV and ASSP: Scan entire message? With AFC enabled, should ClamAV be scanning the entire message ie: header & body including attachments or is it just scanning attachments? I've had files blocked with SaneSecurity sigs, but these tests: http://sanesecurity.com/support/signature-testing/ ALL slip through. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test