Re: Mailsploit and RFC1342 and spoofed From

On 12/07/2017 06:47 PM, Kevin A. McGrail wrote: On 12/7/2017 7:02 PM, Giovanni Bechis wrote: On 12/08/17 00:59, Kevin A. McGrail wrote: On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment

Re: Mailsploit and RFC1342 and spoofed From

On 12/8/2017 3:25 AM, Giovanni Bechis wrote: Unfortunately I cannot know how new added rules will affect my enviroment, there are also some idn rules that breaks my Puppet instance but that's another story. Agreed.  But how would you know if they are added to sa-update natively? Rules that

Re: Mailsploit and RFC1342 and spoofed From

Il 8 dicembre 2017 01:47:47 CET, "Kevin A. McGrail" ha scritto: >On 12/7/2017 7:02 PM, Giovanni Bechis wrote: >> On 12/08/17 00:59, Kevin A. McGrail wrote: >>> On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because

Re: Mailsploit and RFC1342 and spoofed From

>Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone >who does to see if they can mail it to the list. >Since the rule I made target effectively all of the mailsploit exploits and >it's already public, it should be safe.  But I don't know if he used domains >he

Re: Mailsploit and RFC1342 and spoofed From

On 12/8/2017 2:34 AM, Pedro David Marco wrote: >The tests are not working because of aws send limits. Unlikely to work. You are right Kevin... fool me.. is there any pastebin sample??? Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone who does to see if they can

Re: Mailsploit and RFC1342 and spoofed From

>The tests are not working because of aws send limits. Unlikely to work. >Regards, >KAM You are right Kevin... fool me.. is there any pastebin sample??? PedroD

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 7:02 PM, Giovanni Bechis wrote: On 12/08/17 00:59, Kevin A. McGrail wrote: On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical

Re: Mailsploit and RFC1342 and spoofed From

On 12/08/17 00:59, Kevin A. McGrail wrote: > On 12/7/2017 6:39 PM, Giovanni Bechis wrote: >> unfortunately I cannot use KAM.cf out of the box because some scores are >> completely wrong in my environment (working with strange tld, chinese >> people, medical terms that are sometimes abused, ...),

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 6:39 PM, Giovanni Bechis wrote: unfortunately I cannot use KAM.cf out of the box because some scores are completely wrong in my environment (working with strange tld, chinese people, medical terms that are sometimes abused, ...), so I have to download the file every now and than

Re: Mailsploit and RFC1342 and spoofed From

On 12/08/17 00:19, Kevin A. McGrail wrote: > On 12/7/2017 4:20 PM, John Hardin wrote: >> >> I was more thinking about coverage for people who aren't using KAM.cf, but >> your comment about needing enough examples in the masscheck corpus to >> promote and score the rule is relevant - perhaps it

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is important enough to add as a base header rule,

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 11:47 AM, John Hardin wrote: Is that going into the base SA rules as well? The SA rule prop system is not conducive to how my company works.  The delays are too long to publish rules.  I support it in concept but as of yet do not have an easiest lift to support it. I need

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 4:20 PM, John Hardin wrote: I was more thinking about coverage for people who aren't using KAM.cf, but your comment about needing enough examples in the masscheck corpus to promote and score the rule is relevant - perhaps it is important enough to add as a base header rule,

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 11:47 AM, John Hardin wrote: Is that going into the base SA rules as well? The SA rule prop system is not conducive to how my company works.  The delays are too long to publish rules.  I support it in concept but as of yet do not

Re: Mailsploit and RFC1342 and spoofed From

I managed to run a test about an hour ago on my first try, so maybe AWS upped his limit or demand has slowed down. Or maybe I just got lucky... YMMV On Thu, 7 Dec 2017, Kevin A. McGrail wrote: The tests are not working because of aws send limits. Unlikely to work. Regards, KAM On December

Re: Mailsploit and RFC1342 and spoofed From

The tests are not working because of aws send limits. Unlikely to work. Regards, KAM On December 7, 2017 1:57:41 PM EST, Pedro David Marco wrote: >You can get tests here... >https://www.mailsploit.com/index#demo > >---PedroD.

Re: Mailsploit and RFC1342 and spoofed From

You can get tests here... https://www.mailsploit.com/index#demo ---PedroD.

Re: Mailsploit and RFC1342 and spoofed From

On Thu, 7 Dec 2017, Kevin A. McGrail wrote: On 12/7/2017 9:31 AM, Alex wrote: https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ Same issue and the rule I wrote yesterday effectively blocks all the published issues.  I'll make some nuance changes to make it broader

Re: Mailsploit and RFC1342 and spoofed From

On 12/7/2017 9:31 AM, Alex wrote: Hi, Is this something we should be concerned with? https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ There was a thread the other day regarding UTF and encoding, but I don't think this is the same? Same issue and the rule I wrote

Mailsploit and RFC1342 and spoofed From

Hi, Is this something we should be concerned with? https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/ There was a thread the other day regarding UTF and encoding, but I don't think this is the same?