Re: Direct download link detection

2017-07-28 Thread Rupert Gallagher
> unbound-host -rvD foolinux.mooo.com foolinux.mooo.com has address 136.25.152.91 (insecure) foolinux.mooo.com has no IPv6 address (insecure) foolinux.mooo.com has no mail handler record (insecure) > Original Message ---- > Subject: Re: Direct download link detection > Local T

Re: Direct download link detection

2017-07-28 Thread Rupert Gallagher
s Sent from ProtonMail webmail. > ---- Original Message > Subject: Re: Direct download link detection > Local Time: July 27, 2017 9:06 PM > UTC Time: July 27, 2017 7:06 PM > From: i...@very.loosely.org > To: users@spamassassin.apache.org > On 2017-07-27 13:08, Ru

Re: Direct download link detection

2017-07-27 Thread Ian Zimmerman
On 2017-07-27 13:08, Rupert Gallagher wrote: > The rfc prescribes (MUST) the use of your public domain in the domain > part of your mid. If you mean RFC 5322, this is not true. Section 3.6.4: The message identifier (msg-id) itself MUST be a globally unique identifier for a message. The

Re: Direct download link detection

2017-07-27 Thread Rupert Gallagher
The rfc prescribes (MUST) the use of your public domain in the domain part of your mid. So the dns tests are just the first in the queue. The dimain must also match early in the Reveived list. If you fail with it, then you have problems with every rfc-compliant smtp server world-wide. This

Re: Direct download link detection

2017-07-27 Thread Rupert Gallagher
> Are you able to turn it off? I tried. No such option. :-( Sent from ProtonMail Mobile On Wed, Jul 26, 2017 at 6:05 PM, Matus UHLAR - fantomas wrote: > On 26.07.17 02:48, Rupert Gallagher wrote: >+1 to remove that clause from the > RFC. I don't see any reason... btw you'd

Re: Direct download link detection - new variant

2017-07-26 Thread Michael Storz
Am 2017-07-26 17:22, schrieb Dianne Skoll: On Wed, 26 Jul 2017 17:15:43 +0200 Michael Storz wrote: [...] /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ You may get FPs. See for example

Re: Direct download link detection

2017-07-26 Thread Ian Zimmerman
On 2017-07-26 02:48, Rupert Gallagher wrote: > When a mail arrives without mid, either the sender did not use a real > SMTP server or tried to hide it. We have a custom SA rule for it. We > also reject upfront any mid with a syntax error, or whose domain does > not have a rdns (eg.

Re: Direct download link detection

2017-07-26 Thread Matus UHLAR - fantomas
On 26.07.17 02:48, Rupert Gallagher wrote: +1 to remove that clause from the RFC. I don't see any reason... btw you'd need to change it to MUST NOT for all to stop (which is unlikelly to happen). When a mail arrives without mid, either the sender did not use a real SMTP server or tried to

Re: Direct download link detection - new variant

2017-07-26 Thread Dianne Skoll
On Wed, 26 Jul 2017 08:28:52 -0700 (PDT) John Hardin wrote: > ...all of which is, sadly, whack-a-mole. However, there are few to no alternatives to whack-a-mole for this spam run. The messages are pretty bland. We've been diligently adding the URLs to our phishing list and

Re: Direct download link detection - new variant

2017-07-26 Thread John Hardin
On Wed, 26 Jul 2017, Michael Storz wrote: Am 2017-07-26 15:08, schrieb Dianne Skoll: On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: > All of the URLs match this pattern: > /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media

Re: Direct download link detection - new variant

2017-07-26 Thread Dianne Skoll
On Wed, 26 Jul 2017 17:15:43 +0200 Michael Storz wrote: [...] > /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ You may get FPs. See for example https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails==sk105578

Re: Direct download link detection - new variant

2017-07-26 Thread Michael Storz
Am 2017-07-26 15:08, schrieb Dianne Skoll: On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: All of the URLs match this pattern: /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri

Re: Direct download link detection - new variant

2017-07-26 Thread Dianne Skoll
On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: > All of the URLs match this pattern: > /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/

Re: Direct download link detection

2017-07-26 Thread Rupert Gallagher
+1 to remove that clause from the RFC. When a mail arrives without mid, either the sender did not use a real SMTP server or tried to hide it. We have a custom SA rule for it. We also reject upfront any mid with a syntax error, or whose domain does not have a rdns (eg. @localhost.localdomain or

Re: Direct download link detection

2017-07-25 Thread RW
On Tue, 25 Jul 2017 10:28:41 -0500 (CDT) David B Funk wrote: > If the original message actually had that message-ID form when it > arrived at the OP's mail MX server, then your assessment makes sense. > > However it's entirely possible that message-ID was added by the OP's > mail server because

Re: Direct download link detection

2017-07-25 Thread John Hardin
On Tue, 25 Jul 2017, Rupert Gallagher wrote: Before bothering with body spam, make sure the header is clear. The specific email should have been rejected upfront, because the foreign sender's message-id pretends to originate from the recipient's smtp server. That's potentially valid. If a

Re: Direct download link detection

2017-07-25 Thread Dianne Skoll
On Tue, 25 Jul 2017 13:15:33 +0100 RW wrote: > https://pastebin.com/p7EnFNf7 We've seen lots of those and collected a few dozen unique URLs for our URL blacklists. I added a swath of them to the APER project in this commit:

Re: Direct download link detection

2017-07-25 Thread RW
On Mon, 24 Jul 2017 18:00:33 -0400 Alex wrote: > This one's probably already on some blacklists, but I'm still > blocking others: > > https://pastebin.com/p7EnFNf7 It seems to be common for this kind virus spam to pass itself off as an invoice. You might try creating a rule that checks for this

Re: Direct download link detection

2017-07-25 Thread Kevin Golding
On Mon, 24 Jul 2017 23:00:33 +0100, Alex wrote: Link to malicious file removed... Generally not a good idea to post direct links like that. What would be involved in following these links in SA to determine if they immediately download a file (other than a web

Re: Direct download link detection

2017-07-24 Thread Dave Warren
On Mon, Jul 24, 2017, at 15:00, Alex wrote: > Hi, > > We're currently experiencing a new spam campaign that involves some > text pertaining to invoicing then a link that immediately downloads a > Word macro file. > > http://sdeflores.com/PHJC579907/ > > What would be involved in following these

Re: Direct download link detection

2017-07-24 Thread David Jones
On 07/24/2017 05:00 PM, Alex wrote: Hi, We're currently experiencing a new spam campaign that involves some text pertaining to invoicing then a link that immediately downloads a Word macro file. http://sdeflores.com/PHJC579907/ What would be involved in following these links in SA to

Re: Direct download link detection

2017-07-24 Thread Benny Pedersen
Alex skrev den 2017-07-25 00:00: https://pastebin.com/p7EnFNf7 its more malware then spam https://virustotal.com/da/file/b5f30f3f12d8337750943f35a076e3c9690bd18505f7eb31101c98c72f454629/analysis/1500933955/

Direct download link detection

2017-07-24 Thread Alex
Hi, We're currently experiencing a new spam campaign that involves some text pertaining to invoicing then a link that immediately downloads a Word macro file. http://sdeflores.com/PHJC579907/ What would be involved in following these links in SA to determine if they immediately download a file