Re: Weird new malware

2017-11-08 Thread Pedro David Marco 


 
> Of course that should be:
>
> describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
> header    SCC_MIME_BOGUSCT1  Content-Type =~ /^(? score    SCC_MIME_BOGUSCT1  2

>Hmmm... For some reason I do not understand, the anchor doesn't work, 
>so:
Bill the negative lookbehind does not consume positions within the analysis, 
try something like:
 Content-Type =~ /(?

Re: Weird new malware

2017-11-08 Thread Dianne Skoll 
Hi,

In case anyone wants an actual sample: https://pastebin.com/raw/R3b0UHsB

Regards,

Dianne.

Re: Weird new malware

2017-11-08 Thread Bill Cole 

On 8 Nov 2017, at 14:15, Bill Cole wrote:


Of course that should be:

describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
headerSCC_MIME_BOGUSCT1  Content-Type =~ /^(?

Hmmm... For some reason I do not understand, the anchor doesn't work, 
so:


describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
headerSCC_MIME_BOGUSCT1  Content-Type =~ /(?A more conservative approach that barely catches more than Dianne's 
example:


describe  SCC_MIME_BOGUSCT2  Bogus /mixed Content-Type
headerSCC_MIME_BOGUSCT2  Content-Type =~ /^mult[^i]*[^p]*art\/mixed/
score SCC_MIME_BOGUSCT2  2

Note that as a side-effect of the bad Content-Type, the message will 
match both __EMPTY_BODY and __NONEMPTY_BODY, which might be an 
interesting combination to look for.

Re: Weird new malware

2017-11-08 Thread Dianne Skoll 
On Wed, 8 Nov 2017 11:49:38 -0800 (PST)
Jim Dunphy  wrote:

> header J_BAD_CONTYPE Content-Type !~ 
> /^(application|audio|image|message|multipart|text|video|x-)/i

For messages that lack a content type header, I guess you need the
[if-unset:] tag at the end:  [if-unset: text/plain]

I know those messages are pretty scarce nowadays, but they do still
exist.

Regards,

Dianne.

Re: Weird new malware

2017-11-08 Thread Jim Dunphy 
Another method.

The content header field is defined to have these values for the type.

header J_BAD_CONTYPEContent-Type !~ 
/^(application|audio|image|message|multipart|text|video|x-)/i
score J_BAD_CONTYPE 0.1
describe J_BAD_CONTYPE  invalid content type declared in header of the message

Jim

- On Nov 8, 2017, at 11:15 AM, Bill Cole 
sausers-20150...@billmail.scconsult.com wrote:

> On 8 Nov 2017, at 14:12, Bill Cole wrote:
> 
>> On 8 Nov 2017, at 11:16, Dianne Skoll wrote:
>>
>>> On Wed, 8 Nov 2017 11:02:16 -0500
>>> Rob McEwen  wrote:
>>>
 This seems to be catching most of them:
>>>
 Subject: Invoice [A-Z]{2,3}\d{7}\b
>>>
>>> Yes, that'll work.  Maybe a better approach is a combo rule that
>>> looks
>>> in the headers for Content-Type: .*art/mixed but NOT multipart/mixed
>>>
>>> I don't know offhand how to create such a rule in SpamAssassin, but I
>>> imagine
>>> a meta rule could take care of it.
>>
>> Untested:
>>
>> description  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
>> header   SCC_MIME_BOGUSCT1  Content-Type =~
>> /^(?> scoreSCC_MIME_BOGUSCT1  2
> 
> Of course that should be:
> 
> describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
> headerSCC_MIME_BOGUSCT1  Content-Type =~ /^(? score SCC_MIME_BOGUSCT1  2

-- 
Jim Dunphy  Victoria: (250) 665 8066
Aesir Computing, Inc.USA: (703) 406 8062
CTO   Mobile: (206) 480-6069
1215 Royal Oak DrTwitter: medhatjad
Victoria, BC V8X 3T7   www.aesir.com

Re: Weird new malware

2017-11-08 Thread Bill Cole 

On 8 Nov 2017, at 14:12, Bill Cole wrote:


On 8 Nov 2017, at 11:16, Dianne Skoll wrote:


On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen  wrote:


This seems to be catching most of them:



Subject: Invoice [A-Z]{2,3}\d{7}\b


Yes, that'll work.  Maybe a better approach is a combo rule that 
looks

in the headers for Content-Type: .*art/mixed but NOT multipart/mixed

I don't know offhand how to create such a rule in SpamAssassin, but I 
imagine

a meta rule could take care of it.


Untested:

description  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
header   SCC_MIME_BOGUSCT1  Content-Type =~ 
/^(?
scoreSCC_MIME_BOGUSCT1  2


Of course that should be:

describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
headerSCC_MIME_BOGUSCT1  Content-Type =~ /^(?

Re: Weird new malware

2017-11-08 Thread Bill Cole 

On 8 Nov 2017, at 11:16, Dianne Skoll wrote:


On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen  wrote:


This seems to be catching most of them:



Subject: Invoice [A-Z]{2,3}\d{7}\b


Yes, that'll work.  Maybe a better approach is a combo rule that looks
in the headers for Content-Type: .*art/mixed but NOT multipart/mixed

I don't know offhand how to create such a rule in SpamAssassin, but I 
imagine

a meta rule could take care of it.


Untested:

description  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type
header   SCC_MIME_BOGUSCT1  Content-Type =~ /^(?

Re: Weird new malware

2017-11-08 Thread Kevin A. McGrail 
Ty can you throw me a sample?  I also think I am blocking it with me and will 
post on that list about it once i analyze it a bit.
Regards,
KAM

On November 8, 2017 7:45:28 AM PST, Dianne Skoll  
wrote:
>Hi,
>
>Heads-up: We're seeing weird new malware with a subject that looks like
>
>   Invoice XXX
>
>where XXX is two or three random upper-case letters and n is a
>series
>of digits.  What's weird is that the Content-Type: header looks like
>this:
>
>Content-Type: multXXXart/mixed
>
>where the XXX is the same as in the subect.  That is, a message
>with subject "Invoice UUI8187685" has Content-Type "multUUIart/mixed". 
>This
>is fooling our MIME parser because it doesn't see the container as a
>multipart.  Does any client software?
>
>Anyway, might want to make rules for this.
>
>Regards,
>
>Dianne.

Re: Weird new malware

2017-11-08 Thread Dianne Skoll 
On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen  wrote:

> This seems to be catching most of them:

> Subject: Invoice [A-Z]{2,3}\d{7}\b

Yes, that'll work.  Maybe a better approach is a combo rule that looks
in the headers for Content-Type: .*art/mixed but NOT multipart/mixed

I don't know offhand how to create such a rule in SpamAssassin, but I imagine
a meta rule could take care of it.

Regards,

Dianne.

Re: Weird new malware

2017-11-08 Thread Rob McEwen 

This seems to be catching most of them:

Subject: Invoice [A-Z]{2,3}\d{7}\b
...but it might need to be combined with other things to ensure no false 
positives, since there would be a rare legit message that would hit on this?

--Rob McEwen

On 11/8/2017 10:45 AM, Dianne Skoll wrote:

Hi,

Heads-up: We're seeing weird new malware with a subject that looks like

Invoice XXX

where XXX is two or three random upper-case letters and n is a series
of digits.  What's weird is that the Content-Type: header looks like this:

Content-Type: multXXXart/mixed

where the XXX is the same as in the subect.  That is, a message
with subject "Invoice UUI8187685" has Content-Type "multUUIart/mixed".  This
is fooling our MIME parser because it doesn't see the container as a
multipart.  Does any client software?

Anyway, might want to make rules for this.

Regards,

Dianne.



--
Rob McEwen