Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Hi, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? That's interesting because I probably wouldn't have started using foxhole_all.cdb if it had been classified like that then. I am not getting any reports or finding any problems with FPs. foxhole_all is just a few dozen(?) lines of rules to tag file types within zip/rar/7z/arj/exe files. Perhaps because you're outright rejecting many of these file types already? Regards, Dave 3,110,729 total messages* since March 15th 112,477 spam blocked 2,071 total viruses found 8 Foxhole viruses found *After MTA rejects based on RBLs and other DNS checks -- Dave Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 03/27/2018 09:37 AM, Rob McEwen wrote: On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? That's interesting because I probably wouldn't have started using foxhole_all.cdb if it had been classified like that then. I am not getting any reports or finding any problems with FPs. 3,110,729 total messages* since March 15th 112,477 spam blocked 2,071 total viruses found 8 Foxhole viruses found *After MTA rejects based on RBLs and other DNS checks -- Dave Jones -- David Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv results, this is probably OK. But for others who prefer to either outright block or score high on ClamAv, that MIGHT present a problem. On the other hand, maybe Sanesecurity is just being overly cautious (or considering more theoretical FNs?), and such actual FPs in real world mail flow are actually extremely rare? Any Thoughts? Anyone know? -- Rob McEwen https://www.invaluement.com
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
On 03/27/2018 08:24 AM, Pedro David Marco wrote: Thanks Rob, can you pastebin a sample?? PedroD Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL Clamd: Purchase Order_4014053_27032018.zip was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL https://pastebin.com/WwUbWCQY -- David Jones
Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Thanks Rob, can you pastebin a sample?? PedroD
sneaky spams w/zipped URL file, easily caught by "Thread-Index"
Today, MUCH sneaky spams are being sent with an attached zipped malicious URL/shortcut file. Most or all of these are easily caught by Thread-Index, as follows: Thread-Index: AdBx5/5UsdSTxflQTPi+FyODmVaqhA== Perhaps someone can make a rule for this and post it here? I already set this in another non-SA part of my anti-spam system, but the rule might help others here. There are also other attributes that could become an SA rule that would cause a hit even if the Thread-Index changed, but that will require a little bit more effort. -- Rob McEwen https://www.invaluement.com