Thanks guys, for all the helpful info and sanity checks! :)
Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.
Followup:
>I had considered anchoring the MIME string, however we have a
>very powerful
On Sun, 20 Mar 2016 21:22:52 +
Cedric Knight wrote:
> > Anything that opens in MS Word, eg do[ct][mx]?, asd, wbk, wll and
> > might run VBA, so includes Excel too, xl.* - whether it launches
> > depends how the MUA handles the Content-Type I think - so
> > "application/.*" .
>
> On
On 18/03/16 08:39, Cedric Knight wrote:
> On 17/03/16 19:31, Chip M. wrote:
>> Starting about two hours ago, more than 80% of my real-time
>> honeypot spam is a new malware campaign.
>>
>> Full spample (with redacted/munged email addresses and
>> Message-ID):
>>
Joseph Brennan kirjoitti 18.3.2016 18:48:
Today's version has a Subject of this form:
FW: Notification from WORD WORD
...where WORD WORD varies per message but is always all caps. The
three Content-Type lines Chip mentioned are the same, and they are the
only ones that should be used for rtf.
Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that
Today's version has a Subject of this form:
FW: Notification from WORD WORD
...where WORD WORD varies per message but is always all caps. The three
Content-Type lines Chip mentioned are the same, and they are the only ones
that should be used for rtf. The name is similar, repeating the same
Am 18.03.2016 um 09:39 schrieb Cedric Knight:
On 17/03/16 19:31, Chip M. wrote:
On 17/03/16 19:46, Reindl Harald wrote:
/var/www/uploadtemp/8044012e4e9b882b3c7643489c05df73e5cf6dcf.eml:
Sanesecurity.Malware.26034.XmlHeurGen.AM.UNOFFICIAL FOUND
Yes, Sanesecurity is great... this detects
Jari Fredriksson kirjoitti 18.3.2016 18:56:
Joseph Brennan kirjoitti 18.3.2016 18:48:
Today's version has a Subject of this form:
FW: Notification from WORD WORD
...where WORD WORD varies per message but is always all caps. The
three Content-Type lines Chip mentioned are the same, and they
On 17/03/16 19:31, Chip M. wrote:
> Starting about two hours ago, more than 80% of my real-time
> honeypot spam is a new malware campaign.
>
> Full spample (with redacted/munged email addresses and
> Message-ID):
> http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
[snips]
> So far,
Am 17.03.2016 um 20:31 schrieb Chip M.:
The Subjects are all currently of the form:
Invoice MKINV43197 from Tip Top Delivery
Where "MKINV43197" matches the token in the filename.
So far, they all have these headers:
X-Interface: IDSMail OLE Server v6.12 (32)
X-Mailer:
10 matches
Mail list logo
