subject:"rules for a sneaky SPEAR\-VIRUS spam that gets past bayes"

Re: rules for a sneaky SPEAR-VIRUS spam that gets past bayes

2022-03-03 Thread Loren Wilton

Just off the top of my head:

rawbodyONEDRIVE_DOWNLOADm'https://onedrive\.live\.com/download[?]cid='
score ONEDRIVE_DOWNLOAD0.5
describeONEDRIVE_DOWNLOADDownload link to a file on Onedrive

Personally I'd be inclined to put an i on the end of that.

body FILE_PWD_INFO/\b(?:Fil lösenord|File 
password):\s[A-Z]{2}\d{4}\b/
scoreFILE_PWD_INFO3
describe  FILE_PWD_INFOEmail has a password to an archive file

meta PWD_ONEDRIVE_DLOADONEDRIVE_DOWNLOAD && FILE_PWD_INFO
scorePWD_ONEDRIVE_DLOAD4
describe   PWD_ONEDRIVE_DLOADEmail contains download for passworded 
Onedrive file

Loren

rules for a sneaky SPEAR-VIRUS spam that gets past bayes

2022-03-03 Thread Rob McEwen

rules for a sneaky SPEAR-VIRUS spam that gets past bayes because legit 
content from hijacked emails are copied into the spam, making it look 
like a follow-up msg of an existing legit conversation. Catch using 
these rules below. (Perhaps also add more to this to prevent rare FPs? 
But this is a good start!)


FILE SIZE < 50kb

then, on decoded/demime'd msg:

exact match on:
*https://onedrive.live.com/download?cid=**
*
Then a hit on THIS RegEx:
*\b(Fil lösenord|File password): [A-Z]{2}\d{4}\b**
*

(I'll let someone else jump in here and create and share the actual SA 
implementation of this, if desired - along with any suggested improvements)


-- Rob McEwen, invaluement

Re: rules for a sneaky SPEAR-VIRUS spam that gets past bayes

rules for a sneaky SPEAR-VIRUS spam that gets past bayes

2 matches

Site Navigation

Mail list logo

Footer information