sneaky spams w/zipped URL file, easily caught by "Thread-Index"

Today, MUCH sneaky spams are being sent with an attached zipped malicious URL/shortcut file. Most or all of these are easily caught by Thread-Index, as follows: Thread-Index: AdBx5/5UsdSTxflQTPi+FyODmVaqhA== Perhaps someone can make a rule for this and post it here? I already set this in

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

Thanks Rob, can you pastebin a sample?? PedroD

Lots of money, score of 0??

Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

On 03/27/2018 08:24 AM, Pedro David Marco wrote: Thanks Rob, can you pastebin a sample?? PedroD Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL Clamd: Purchase Order_4014053_27032018.zip was infected:

Re: Lots of money, score of 0??

On 03/27/2018 09:24 AM, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

On 03/27/2018 09:37 AM, Rob McEwen wrote: On 3/27/2018 9:48 AM, David Jones wrote: Looks like ClamAV UNOFFICIAL sigs are detecting this: Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL David, Excellent... except for one potential problem... this is in their

Re: Lots of money, score of 0??

On 27 Mar 2018, at 10:24, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00

Re: Lots of money, score of 0??

On Tue, 27 Mar 2018, Robert Boyl wrote: Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 It's not

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

Hi, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of