On Tue, 11 Feb 2025, Kris Deugau wrote:
John Hardin wrote:
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just
like the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so it's a *l
John Hardin wrote:
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just
like the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so it's a *little* less obvious.
Initial rules checked i
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so it's a *little* less obvious.
Initial rules checked in.
--
John Hardin
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
"If you did not authorize this, please call us immediately at-I(888)
592-O36I to secure your account and recover your
funds."
Will add rules tonight.
--
John Hardin KA7OHZ
Greetings,
I'd like to share a patch which added to Phishing.pm one more source:
so-called Phishing Database.
Details here: https://github.com/mitchellkrogza/Phishing.Database
diff --git a/lib/Mail/SpamAssassin/Plugin/Phishing.pm
b/lib/Mail/SpamAssassin/Plugin/Phishing.pm
index 310d
alk to them so they can figure out what provider(s) are
facilitating this.
Regards,
KAM
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a reasonable solut
contain a phone number to
>> call.
>>
>> Side note: Any one got a good contact at the FCC? I've been wanting to talk
>> to them so they can figure out what provider(s) are facilitating this.
>>
>> Regards,
>>
>> KAM
>>
>> On 11/2
can figure out what provider(s) are
facilitating this.
Regards,
KAM
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
AJ Weber skrev den 2024-11-21 13:57:
I saw a "conversation" a few weeks ago regarding paypal phishing emails
that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
I just received one and it seems very well crafted. Is anyone st
I coincidentally have a legit PP email/notification from just a day
ago. Some things to note:
LEGIT:
X-Spam-DCC:www.nova53.net: app3 1207; Body=1 Fuz1=1 Fuz2=1
From:"serv...@paypal.com"
To: AW
Subject: You authorized a payment to
((To is actually my email address))
FAKES:
X-Spam-DCC:www.n
2.5
Let me know how this works for you.
-- Jared Hall
ja...@jaredsec.com
Available for hire.
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a
he FCC? I've been wanting to talk to
them so they can figure out what provider(s) are facilitating this.
Regards,
KAM
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing emails that
were not being caught.
I can't rec
ain a phone
number to call.
Side note: Any one got a good contact at the FCC? I've been wanting to
talk to them so they can figure out what provider(s) are facilitating
this.
Regards,
KAM
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
BOLO for my email.
That is the complete PayPal stanza from Ja
quot;conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
I just received one and it seems very well crafted. Is anyone still
collecting samples and wants this one too?
I saw a "conversation" a few weeks ago regarding paypal phishing emails
that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
I just received one and it seems very well crafted. Is anyone still
collecting samples and wants this one to
On 6/23/24 10:26 PM, Larry Nedry via users wrote:
On 7/21/23 9:10 AM, Giovanni Bechis wrote:
Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info
it would be better to
On 7/21/23 9:10 AM, Giovanni Bechis wrote:
Hi,
phishstats[.]info domain has recently moved to a parking domain, if
you are using Mail::SpamAssassin::Plugin::Phishing plugin with data
downloaded from PhishStats[.]info it would be better to comment
"phishing_phishstats_feed" configur
45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15
-0400)
Ricky Boone
is rumored to have said:
Just a heads up, it appears that usssa[.]com has had their
SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined in
60_welcomelist
ill Cole
> > wrote:
> >>
> >> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
> >> Ricky Boone
> >> is rumored to have said:
> >>
> >>> Just a heads up, it appears that usssa[.]com has had their SendGrid
> >
023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
Ricky Boone
is rumored to have said:
Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined
23 at 9:25 PM Bill Cole
wrote:
>
> On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
> Ricky Boone
> is rumored to have said:
>
> > Just a heads up, it appears that usssa[.]com has had their SendGrid
> > email sending account popped, and a bad act
On 2023-10-11 at 16:45:15 UTC-0400 (Wed, 11 Oct 2023 16:45:15 -0400)
Ricky Boone
is rumored to have said:
Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined in
Just a heads up, it appears that usssa[.]com has had their SendGrid
email sending account popped, and a bad actor has been sending
phishing emails from it. The domain is defined in
60_welcomelist_auth.cf with def_welcomelist_auth/def_whitelist_auth
entries with *@*.usssa.com.
Typo, I meant to say I was on SA 3.4.6.
On Wed, Aug 30, 2023, 3:22 PM Ricky Boone wrote:
> Something I noticed on a set of emails that were reported to me.
>
> I have custom rules to look out for certain names in From:name. The
> messages should have been caught by them, however upon inspection
Something I noticed on a set of emails that were reported to me.
I have custom rules to look out for certain names in From:name. The
messages should have been caught by them, however upon inspection the
name was UTF-8 encoded, and included a character that doesn't seem to
render, but interferes w
Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not
On 2023-05-23 at 12:08:10 UTC-0400 (Tue, 23 May 2023 18:08:10 +0200)
Thierry
is rumored to have said:
> Hi,
>
> we just received phishing spams (Postfinance) from zendesk.com
>
> This domain is present in 60_welcomelist_auth.cf for the rule
> USER_IN_DEF_SPF_WL
>
> Ca
Hi,
we just received phishing spams (Postfinance) from zendesk.com
This domain is present in 60_welcomelist_auth.cf for the rule
USER_IN_DEF_SPF_WL
Can you remove this domain (temporarily or permanently) next update ?
Received: from outbyoip4.pod19.use1.zdsys.com
(outbyoip4.pod19.use1
Technically you pommel m
> On Mar 20, 2023, at 5:34 PM, Mark London wrote:
>
> Dropbox now has an invoice feature, that allows you to create a customized
> invoice. So what this person did was to create an invoice that looks like
> it’s coming from PayPal. Except for the fact that the From
Dropbox now has an invoice feature, that allows you to create a customized
invoice. So what this person did was to create an invoice that looks like it’s
coming from PayPal. Except for the fact that the From address shows it is
coming from Dropbox.
Months ago I saw a similar problem with f
On 21.02.23 19:51, hg user wrote:
I was wondering if it is possible to reach the goal of 0 phishing.
With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of spam
and if some reaches the mailboxes, no problem.
Kris Deugau writes:
> Greg Troxel wrote:
>> One of my users got mail that really looks like a phish. They are
>> unaware of having an adobe account. It is DKIM signed, but looks a bit
>> spammy in terms of the content (low-quality HTML markup, missing
>> text/plain content).
>
> ... How much ot
Kris Deugau wrote:
> The decoded Subject: might provide more of a hint to whatever
> Adobe-borged software the user actually had an account for.
Subject decodes to: "Important information about your Adobe account"
Erik
--
--
E
Greg Troxel wrote:
One of my users got mail that really looks like a phish. They are
unaware of having an adobe account. It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).
... How much otherwise legitimate mail have you ins
One of my users got mail that really looks like a phish. They are
unaware of having an adobe account. It is DKIM signed, but looks a bit
spammy in terms of the content (low-quality HTML markup, missing
text/plain content).
Is anyone else seeing this?
Opinions on if it's real, if adobe is compro
Rob McEwen skrev den 2023-02-21 23:17:
I dug a little deeper on this. I'm pretty sure that FROM_PAYPAL_SPOOF
is triggered at least in part by __NOT_SPOOFED being set to "false" -
and DKIM failing does (or can) cause __NOT_SPOOFED to be false - and
so in this case a failed DKIM validation, that mo
pache.org
Date 2/21/2023 4:53:27 PM
Subject Re: May I get to 0 phishing?
Benny,
There are a few holes in your theory/assertions:
(1) I know for a fact that this came from PayPal's official transactional servers, in
PayPal's IP space. And while the sender (PayPal's customer) was a &quo
of those were
legit.
Rob McEwen, invaluement
-- Original Message --
From "Benny Pedersen"
To users@spamassassin.apache.org
Date 2/21/2023 4:03:31 PM
Subject Re: May I get to 0 phishing?
Rob McEwen skrev den 2023-02-21 20:37:
https://pastebin.com/v80qMF99
Content
Rob McEwen skrev den 2023-02-21 20:37:
https://pastebin.com/v80qMF99
Content preview: Invoice from Apple. com (0005) xxx...@example.com,
here are
your invoice details Hello, xxx...@example.com Here's your invoice
Content analysis details: (1.2 points, 5.0 required)
pts rule name
Nope. That was a phishing spam, just maybe not the TYPE of phishing spam
you're used to seeing? Calling it a fraud doesn't make it not a phish.
When is a phishing spam ever NOT fraud? So what's the deciding factor?
The fact that this claimed to be Apple sending an invoice vi
I think this is not a phishing, more a fraud: it seems a real invoice for
something you didn't buy.
I'm glad to hear from experts that it's impossible to have 0 phishing, that
I'm not missing the "silver bullet" or the magic token.
I may perhaps implement ESP plugin
What Bill Cole said! Agreed. For example, here's an almost impossible
phish to block (at least, without blocking legitimate PayPal
transactional emails!). This is a PayPal phishing spam, sent from
PayPal's own server! It was sent by PayPal. I only changed the intended
recipient a
On 2023-02-21 at 13:51:09 UTC-0500 (Tue, 21 Feb 2023 19:51:09 +0100)
hg user
is rumored to have said:
I was wondering if it is possible to reach the goal of 0 phishing.
Nope. There are people who find it profitable and they will continue to
find ways to trick all the usable programmatic
I was wondering if it is possible to reach the goal of 0 phishing.
With 2 layers of paid protection, and a third layer realized with
spamassassin with a lot of hand made rules, I'm able to catch a lot of spam
and if some reaches the mailboxes, no problem.
But when phishing is able to reac
On 2/15/2023 2:50 PM, hg user wrote:
And how to intercept?
From time to time we receive a message that is a reply-to to an old
message, sometimes after months, with just several lines added at the
top inviting to open a url or attachment.
Has this kind of phishing a name?
QakBot and
And how to intercept?
>From time to time we receive a message that is a reply-to to an old
message, sometimes after months, with just several lines added at the top
inviting to open a url or attachment.
Has this kind of phishing a name?
How can I prevent it or at least flag it for review?
Th
Good day Guys
Something I came across, and thought I would share / forward
https://gbhackers.com/hackers-using-new-obfuscation-mechanisms-to-evade-detection-of-phishing-campaign/
Hope this helps.
Regards
Brent
1) Kenneth: Uncomment the line in v343. Rules in the present KAM.cf
are thusly:
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
# increase number of mime parts checked
olemacro_num_mime 10
if (version >= 3.0040005)
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLE
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail"
wrote:
We use the olevbmacro detection added to SA. I would guess that's
blocking the payload.I would guess that's blocking the payload.
On 11.07.21 13:35, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't a
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and
an application/x-mso file. Which (in addition to the text/xml
files) are used by Microsoft Word to load the embedded Word
document."
Would the presence of all three of those MIME types be a
>On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail
wrote:
>If you can get me a spample, I'm sure I can tell you but in general we
>block macros so that's all that's needed. Likely the OLEVBMacro plugin
>and KAM ruleset is blocking all of these already if you have the plugin
On 12/07/2021 07:40, Dave Funk wrote:
On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files)
are used by Microsoft Word to load th
On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files) are used
by Microsoft Word to load the embedded Word document."
Would the
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files) are
used by Microsoft Word to load the embedded Word document."
Would the presence of all three of those MIME types be a
It's in the KAM ruleset if that helps. Search "ifplugin
Mail::SpamAssassin::Plugin::OLEVBMacro" and you'll see the set of rules
we use. Add the plugin to an appropriate pre file to activate it.
On 7/11/2021 4:35 PM, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't app
On Sun, 11 Jul 2021, Kenneth Porter wrote:
--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall
wrote:
The Word document (without macros) loads an external encrypted Excel file
It has macros. It tricks the user into enabling and running them by telling
him to enable the document for editin
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail"
wrote:
We use the olevbmacro detection added to SA. I would guess that's
blocking the payload.I would guess that's blocking the payload.
I see the plugin in the distribution but it doesn't appear to be loaded by
default and the ru
We use the olevbmacro detection added to SA. I would guess that's blocking
the payload.I would guess that's blocking the payload.
On Sun, Jul 11, 2021, 15:00 Kenneth Porter wrote:
> --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall
> wrote:
>
> > The Word document (without macros) loads an e
--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall
wrote:
The Word document (without macros) loads an external encrypted Excel file
It has macros. It tricks the user into enabling and running them by telling
him to enable the document for editing and enabling "content" (ie. macros).
Hidin
otection Bypass". I think not. A typical
Microsoft Office user is "Joe Average", and good ol' Joe can't tell a
ThreatPost from a Fencepost. But five paragraphs down, this caught my
eye: "The initial attack vector is inbox-based phishing messages with
Word document
On Mon, 12 Apr 2021, jwmi...@gmail.com wrote:
John Hardin writes:
> From: John Hardin
> Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
>
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
> >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> [score:
John Hardin writes:
> From: John Hardin
> Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
>
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
> >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> [score: 1.]
> >> 0.5 BAYES_999
On 2021-04-12 16:29, John Hardin wrote:
On Sun, 11 Apr 2021, Loren Wilton wrote:
3.5 BAYES_99 BODY: Bayes spam probability is 99 to
100%
[score: 1.]
0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
100%
On Sun, 11 Apr 2021, Loren Wilton wrote:
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.]
0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
I have
5.0 BAYES_99
However, in 50_scores.cf, this line is commented out:
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
Maybe that's the problem?
no, there are other SORBS lists used:
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1
However, in 50_scores.cf, this line is commented out:
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
Maybe that's the problem?
no, there are other SORBS lists used:
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
On 11.04.21 18:22, Steve Dondley wrote:
Best I can tell, my SA config should be testing for sorbs. I've got
this line in /etc/spamassassin/v3220.pre:
loadplugin Mail::SpamAssassin::Plu
If you have spamples for sharepoint phishes that evade kam ruleset, shoot
me an email off-list to discuss getting me the spamples.
On Sun, Apr 11, 2021, 16:43 Steve Dondley wrote:
> On 2021-04-11 04:19 PM, Benny Pedersen wrote:
> > On 2021-04-11 22:09, Steve Dondley wrote:
> >
> >> Content analy
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.]
0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
I have
5.0 BAYES_99 BODY: Bayes spam probabilit
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
Best I can tell, my SA config should be testing for sorbs. I've got this
line in /etc/spamassassin/v3220.pre:
loadplugin Mail::SpamAssassin::Plugin::DNSEval
And in /usr/share/spama
Also, I've heard of sorbs over the years but I'm not sure exactly what
it is. Is this the same block list run by Cisco?
OK, I was getting SORBS confused with SenderBase Reputation Score
(SBRS). That's the one run by Cisco, I believe.
I actually have an account on the SORBS website that I s
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
How would I check if it's turned on? I tried grepping in
/etc/spamassassin on "sorb" (case insensitive) and found nothing. So I
guess it's not in my default config.
I see many men
On 2021-04-11 22:43, Steve Dondley wrote:
On 2021-04-11 04:19 PM, Benny Pedersen wrote:
On 2021-04-11 22:09, Steve Dondley wrote:
Content analysis details: (4.4 points, 5.0 required)
pts rule name description
--
---
On 2021-04-11 04:19 PM, Benny Pedersen wrote:
On 2021-04-11 22:09, Steve Dondley wrote:
Content analysis details: (4.4 points, 5.0 required)
pts rule name description
--
--
3.5 BAYES_99 BO
On 2021-04-11 22:09, Steve Dondley wrote:
Content analysis details: (4.4 points, 5.0 required)
pts rule name description
--
--
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
I've received about a dozen phishing attack emails from Microsoft's
sharepoint service within the last couple of weeks. Only one of them was
identified by SA as spam. After running the emails through sa-learn,
they still only score a 4 to 4.5. But I could see that it would be easy
On Tue, 23 Feb 2021, Ricky Boone wrote:
Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effect
On 2021-02-23 20:51, Ricky Boone wrote:
* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid
i have local clamav signature to catch html attachment
inspiration fro
Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a
7;m seeing it catch phrases like "pay pai", but with full
context the phrase may be "...back pay paid out in...".
Other than that, the rules are looking good. I've taken some of the
examples and started new rules for other phishing words/phrases I'm
seeing g
On Fri, 19 Feb 2021, Giovanni Bechis wrote:
On 2/19/21 1:09 AM, John Hardin wrote:
On Thu, 18 Feb 2021, Giovanni Bechis wrote:
On 2/18/21 6:37 PM, Ricky Boone wrote:
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=
On Thu, 18 Feb 2021 16:08:01 -0800 (PST)
John Hardin wrote:
> In our case it's best to upload an entire email (all headers intact
> and with as little obfuscation as possible) to something like
> Pastebin, then post the URL to that here so it can be downloaded.
...
> For just URLs, though, examp
On 2/19/21 1:09 AM, John Hardin wrote:
> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
>
>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>> Just wanted to forward an example of an interesting URL obfuscation
>>> tactic observed yesterday.
>>>
>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
On Thu, Feb 18, 2021 at 7:08 PM John Hardin wrote:
>
> In our case it's best to upload an entire email (all headers intact and
> with as little obfuscation as possible) to something like Pastebin, then
> post the URL to that here so it can be downloaded. This keeps the spample
> from being modifie
On Thu, 18 Feb 2021, Giovanni Bechis wrote:
On 2/18/21 6:37 PM, Ricky Boone wrote:
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%
On Thu, 18 Feb 2021, Ricky Boone wrote:
Nice. I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).
In our case it's best to upload an entire email (all
Nice. I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).
On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis wrote:
>
> On 2/18/21 6:37 PM, Ricky Boone wrote
On 2/18/21 6:37 PM, Ricky Boone wrote:
> Just wanted to forward an example of an interesting URL obfuscation
> tactic observed yesterday.
>
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundati
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26snt
On Wed, 17 Feb 2021 10:23:13 -0500
Jared Hall wrote:
> On 2/16/2021 2:06 PM, RW wrote:
> > I don't think there's much, if anything, in that module that
> > benefits from being in perl.
> Counts and amounts; even variable arithmetic amounts based on counts.
> Everything else is just a regex.
Y
On 2/16/2021 2:06 PM, RW wrote:
That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or better still into
template tags, so that they can be reused in multiple rules.
Agreed, RW. Most of the stuff in there originated from rul
Yep, so far so good. Thank you again for the pointers and creating
the rules so quickly.
On Tue, Feb 16, 2021 at 9:06 PM John Hardin wrote:
>
> On Tue, 16 Feb 2021, Ricky Boone wrote:
>
> > On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
> >>
> >> OK, I added FUZZY_OVERSTOCK as well, we'll
On Tue, 16 Feb 2021, Ricky Boone wrote:
On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
If they don't perform well in masscheck you can always grab them out of my
sandbox for your local rules.
Masscheck results:
https://ru
On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
>
> OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
>
> If they don't perform well in masscheck you can always grab them out of my
> sandbox for your local rules.
>
> Masscheck results:
>
>https://ruleqa.spamassassin.org/?rule=%2
On Mon, 15 Feb 2021 23:58:17 -0500
Jared Hall wrote:
>
> The CHAOS module *may* do what you want. ... It also has
> detection for multiple Unicode Character Sets.
That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or bet
On 2/14/2021 9:58 PM, Ricky Boone wrote:
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
On Sun, 14 Feb 2021, Ricky Boone wrote:
What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting? Are there any
plugin
On Sun, 14 Feb 2021, Ricky Boone wrote:
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
How often do you see (over)stock and space obfuscated?
So far, 4 times and once, respectively
OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
If they don't perform well in masscheck yo
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
>
> On Sun, 14 Feb 2021, Ricky Boone wrote:
>
> > What are the community's thoughts on handling spam/phishing that utilize
> > homoglyphs to obfuscate the brands they're targeting? Are there any
> > plugi
On Sun, 14 Feb 2021, Ricky Boone wrote:
What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting? Are there any
plugins that are in development that might assist with catching these?
Take a look at the definit
1 - 100 of 773 matches
Mail list logo
