Am 17.03.2016 um 20:31 schrieb Chip M.:
The Subjects are all currently of the form:
Invoice MKINV43197 from Tip Top Delivery
Where "MKINV43197" matches the token in the filename.
So far, they all have these headers:
X-Interface: IDSMail OLE Server v6.12 (32)
X-Mailer: Everest CRM Studio
Which feel too helpful to last long. :)
Some of these are going through a system running a
"shared" Bayes, and oddly, so far half have hit "BAYES_00" and
half have hit "BAYES_50". That will probably improve with time.
Question: What other file extensions / Content Types would be
viable for this payload? For last year's campaign, I've been
testing xml, msword and doc. I may just add those tokens to my
"all file attachments" tests, at least for a regression test
/var/www/uploadtemp/8044012e4e9b882b3c7643489c05df73e5cf6dcf.eml: Sanesecurity.Malware.26034.XmlHeurGen.AM.UNOFFICIAL FOUND /var/www/uploadtemp/8044012e4e9b882b3c7643489c05df73e5cf6dcf.eml: Porcupine.Malware.36714.UNOFFICIAL FOUND
----------- VIRUS-SCAN SUMMARY ----------- Infected files: 1 Time: 0.013 sec (0 m 0 s) Content analysis details: (11.5 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
-0.1 CUST_DNSWL_3 RBL: hostkarma.junkemailfilter.com (Low Trust)[52.36.131.156 listed in hostkarma.junkemailfilter.com]
0.0 MSGID_SHORT Message-ID is unusually short1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4999]
0.0 HTML_MESSAGE BODY: HTML included in message
1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
0.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.5 INVALID_MSGID Message-Id is not valid, according to RFC 2822 2.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE 3.8 MSGID_NOFQDN1 Message-ID with no domain name 0.0 T_REMOTE_IMAGE Message contains an external image
signature.asc
Description: OpenPGP digital signature
