Re: Weird new malware
> Of course that should be: > > describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type > header SCC_MIME_BOGUSCT1 Content-Type =~ /^(? score SCC_MIME_BOGUSCT1 2 >Hmmm... For some reason I do not understand, the anchor doesn't work, >so: Bill the negative lookbehind does not consume positions within the analysis, try something like: Content-Type =~ /(?
Re: Weird new malware
Hi, In case anyone wants an actual sample: https://pastebin.com/raw/R3b0UHsB Regards, Dianne.
Re: Weird new malware
On 8 Nov 2017, at 14:15, Bill Cole wrote: Of course that should be: describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type headerSCC_MIME_BOGUSCT1 Content-Type =~ /^(? Hmmm... For some reason I do not understand, the anchor doesn't work, so: describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type headerSCC_MIME_BOGUSCT1 Content-Type =~ /(?A more conservative approach that barely catches more than Dianne's example: describe SCC_MIME_BOGUSCT2 Bogus /mixed Content-Type headerSCC_MIME_BOGUSCT2 Content-Type =~ /^mult[^i]*[^p]*art\/mixed/ score SCC_MIME_BOGUSCT2 2 Note that as a side-effect of the bad Content-Type, the message will match both __EMPTY_BODY and __NONEMPTY_BODY, which might be an interesting combination to look for.
Re: Weird new malware
On Wed, 8 Nov 2017 11:49:38 -0800 (PST) Jim Dunphywrote: > header J_BAD_CONTYPE Content-Type !~ > /^(application|audio|image|message|multipart|text|video|x-)/i For messages that lack a content type header, I guess you need the [if-unset:] tag at the end: [if-unset: text/plain] I know those messages are pretty scarce nowadays, but they do still exist. Regards, Dianne.
Re: Weird new malware
Another method. The content header field is defined to have these values for the type. header J_BAD_CONTYPEContent-Type !~ /^(application|audio|image|message|multipart|text|video|x-)/i score J_BAD_CONTYPE 0.1 describe J_BAD_CONTYPE invalid content type declared in header of the message Jim - On Nov 8, 2017, at 11:15 AM, Bill Cole sausers-20150...@billmail.scconsult.com wrote: > On 8 Nov 2017, at 14:12, Bill Cole wrote: > >> On 8 Nov 2017, at 11:16, Dianne Skoll wrote: >> >>> On Wed, 8 Nov 2017 11:02:16 -0500 >>> Rob McEwenwrote: >>> This seems to be catching most of them: >>> Subject: Invoice [A-Z]{2,3}\d{7}\b >>> >>> Yes, that'll work. Maybe a better approach is a combo rule that >>> looks >>> in the headers for Content-Type: .*art/mixed but NOT multipart/mixed >>> >>> I don't know offhand how to create such a rule in SpamAssassin, but I >>> imagine >>> a meta rule could take care of it. >> >> Untested: >> >> description SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type >> header SCC_MIME_BOGUSCT1 Content-Type =~ >> /^(?> scoreSCC_MIME_BOGUSCT1 2 > > Of course that should be: > > describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type > headerSCC_MIME_BOGUSCT1 Content-Type =~ /^(? score SCC_MIME_BOGUSCT1 2 -- Jim Dunphy Victoria: (250) 665 8066 Aesir Computing, Inc.USA: (703) 406 8062 CTO Mobile: (206) 480-6069 1215 Royal Oak DrTwitter: medhatjad Victoria, BC V8X 3T7 www.aesir.com
Re: Weird new malware
On 8 Nov 2017, at 14:12, Bill Cole wrote: On 8 Nov 2017, at 11:16, Dianne Skoll wrote: On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwenwrote: This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a combo rule that looks in the headers for Content-Type: .*art/mixed but NOT multipart/mixed I don't know offhand how to create such a rule in SpamAssassin, but I imagine a meta rule could take care of it. Untested: description SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type header SCC_MIME_BOGUSCT1 Content-Type =~ /^(? scoreSCC_MIME_BOGUSCT1 2 Of course that should be: describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type headerSCC_MIME_BOGUSCT1 Content-Type =~ /^(?
Re: Weird new malware
On 8 Nov 2017, at 11:16, Dianne Skoll wrote: On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwenwrote: This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a combo rule that looks in the headers for Content-Type: .*art/mixed but NOT multipart/mixed I don't know offhand how to create such a rule in SpamAssassin, but I imagine a meta rule could take care of it. Untested: description SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type header SCC_MIME_BOGUSCT1 Content-Type =~ /^(?
Re: Weird new malware
Ty can you throw me a sample? I also think I am blocking it with me and will post on that list about it once i analyze it a bit. Regards, KAM On November 8, 2017 7:45:28 AM PST, Dianne Skollwrote: >Hi, > >Heads-up: We're seeing weird new malware with a subject that looks like > > Invoice XXX > >where XXX is two or three random upper-case letters and n is a >series >of digits. What's weird is that the Content-Type: header looks like >this: > >Content-Type: multXXXart/mixed > >where the XXX is the same as in the subect. That is, a message >with subject "Invoice UUI8187685" has Content-Type "multUUIart/mixed". >This >is fooling our MIME parser because it doesn't see the container as a >multipart. Does any client software? > >Anyway, might want to make rules for this. > >Regards, > >Dianne.
Re: Weird new malware
On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwenwrote: > This seems to be catching most of them: > Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a combo rule that looks in the headers for Content-Type: .*art/mixed but NOT multipart/mixed I don't know offhand how to create such a rule in SpamAssassin, but I imagine a meta rule could take care of it. Regards, Dianne.
Re: Weird new malware
This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b ...but it might need to be combined with other things to ensure no false positives, since there would be a rare legit message that would hit on this? --Rob McEwen On 11/8/2017 10:45 AM, Dianne Skoll wrote: Hi, Heads-up: We're seeing weird new malware with a subject that looks like Invoice XXX where XXX is two or three random upper-case letters and n is a series of digits. What's weird is that the Content-Type: header looks like this: Content-Type: multXXXart/mixed where the XXX is the same as in the subect. That is, a message with subject "Invoice UUI8187685" has Content-Type "multUUIart/mixed". This is fooling our MIME parser because it doesn't see the container as a multipart. Does any client software? Anyway, might want to make rules for this. Regards, Dianne. -- Rob McEwen