--On Thursday, March 19, 2009 5:41 AM -0700 John Hardin
wrote:
Hence my subsequent suggestion for an HTML tag scoring plugin. That
_would_ be context-sensitive and I'd feel safe giving an OBJECT tag 20
points that way.
I'd love to see a plugin like this that could flag syntax issues like
un
On 19-Mar-2009, at 15:18, James Wilkinson wrote:
John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody
match on
/]/i meta'd with HTML_MESSAGE should be worth a few
(dozen)
points.
This would seem to FP on Microsoft HTML generated by certain
versions of
Word.
On Thu, 19 Mar 2009, James Wilkinson wrote:
John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody match on
/]/i meta'd with HTML_MESSAGE should be worth a few (dozen)
points.
This would seem to FP on Microsoft HTML generated by certain versions of
Word. One exampl
John Hardin wrote:
> No reason it shouldn't be. I'd suggest something like a rawbody match on
> /]/i meta'd with HTML_MESSAGE should be worth a few (dozen)
> points.
This would seem to FP on Microsoft HTML generated by certain versions of
Word. One example:
On Wed, Mar 18, 2009 at 11:12:02PM +0100, mouss wrote:
> I don't know much people who forbid .doc/xls/ppt in email,
> and these can do a lot of harm.
:0 H
* ^Content-Type: multipart
{
:0 B
* name=.*\.(exe|bat|pif|com|lnk|scr|vbs|zip|pdf)(")?(\ *|\t*)$
{
:0:
$HOME/Mail/quarantine
Ned SLider said:
>> >
>>
>> Indeed, but why does flash need the ability to bind ports, open remote
>> connections, download executable files and run them? It's primary
>> function is to be a web-based multimedia player, or so I thought.
>> SELinux provides solutions to many of these issues by
On Thu, 19 Mar 2009, LuKreme wrote:
On 19-Mar-2009, at 05:41, John Hardin wrote:
On Thu, 19 Mar 2009, LuKreme wrote:
> On 19-Mar-2009, at 04:27, John Hardin wrote:
> > No reason it shouldn't be. I'd suggest something like a rawbody match
> > on /]/i meta'd with HTML_MESSAGE should be worth a
On 19-Mar-2009, at 05:41, John Hardin wrote:
On Thu, 19 Mar 2009, LuKreme wrote:
On 19-Mar-2009, at 04:27, John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody
match on /]/i meta'd with HTML_MESSAGE should be worth
a few (dozen) points.
That seems like a good
On Thu, 19 Mar 2009, LuKreme wrote:
On 19-Mar-2009, at 04:27, John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody match
on /]/i meta'd with HTML_MESSAGE should be worth a few
(dozen) points.
That seems like a good idea. You have anything?
No, and I'd be conc
On 19-Mar-2009, at 04:27, John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody
match on /]/i meta'd with HTML_MESSAGE should be worth a
few (dozen) points.
That seems like a good idea. You have anything?
--
Happy Jack wasn't tall, but he was a man
Le 19/03/2009 11:27, John Hardin a écrit :
No reason it shouldn't be. I'd suggest something like a rawbody match on
/]/i meta'd with HTML_MESSAGE should be worth a few (dozen)
points.
FWIW, MailScanner has had the option of disarming and
tags for ages.
John.
--
-- Over 3000 webcams from s
mouss wrote:
RobertH a écrit :
http://pastebin.com/m2fcbe7b5
Thanks for posting the sample.
My email sanitizer successfuly defends against this attack.
:)
--
John Hardin
no disrespect intended yet i would like to understand...
u, if your "email sanitizer" caugh
On Wed, 18 Mar 2009, RobertH wrote:
My email sanitizer successfuly defends against this attack.
no disrespect intended yet i would like to understand...
u, if your "email sanitizer" caught it, why isnt that something
programmed "in another way" inside SA, or clamav, etc...?
No reason
> http://pastebin.com/m2fcbe7b5
Thanks for the sample.. I added detection for the email and exe file
yesterday.
Cheers,
Steve
Sanesecurity
www.sanesecurity.com
--
View this message in context:
http://www.nabble.com/interesting-flash-attack-in-spam-tp22576834p22595958.html
Sent from the SpamAs
>>> Michael Scheidell wrote:
than trys to load a binary:
ref="http://www.spamcom.com.br/CartadeAmor.exe";
both files still exist on the hosts, and neither was
identified by clamav, and neither triggered any ET
(snort) rules, SA didn't trigger any rules ex
RobertH a écrit :
>
>
>>> http://pastebin.com/m2fcbe7b5
>> Thanks for posting the sample.
>>
>>
>> My email sanitizer successfuly defends against this attack.
>>
>>
>> :)
>>
>> --
>> John Hardin
>
> no disrespect intended yet i would like to understand...
>
> u, if y
> >
> > http://pastebin.com/m2fcbe7b5
>
> Thanks for posting the sample.
>
>
> My email sanitizer successfuly defends against this attack.
>
>
> :)
>
> --
> John Hardin
no disrespect intended yet i would like to understand...
u, if your "email sanitizer" caught i
>>
>> Michael Scheidell wrote:
>> > just saw this one in email. terra.com/ spamcop.com./br are hosting
>> > trojans.
>> > but this email uses flash to load this:
>> >
>> > http://www.terra.com.br/cartoes/datas/amor.swf";>
>> > (which redirects to http://cartoes.terra.com.br/datas/amor.swf )
>>
John Hardin wrote:
My email sanitizer successfuly defends against this attack.
:)
mine did too... but it quarantined it in my 'this was only stopped due
to custom rules, maybe SA group would like to see it' pile.
and, didn't see any SA rules (or SARES rules) except those given.
--
Mic
On Wed, 18 Mar 2009, Michael Scheidell wrote:
both files still exist on the hosts, and neither was identified by
clamav, and neither triggered any ET (snort) rules, SA didn't trigger
any rules except these:
HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809,
HTML_MESSAGE=0.001, MIME_HTML_ONLY
Michael Scheidell wrote:
just saw this one in email. terra.com/ spamcop.com./br are hosting
trojans.
but this email uses flash to load this:
http://www.terra.com.br/cartoes/datas/amor.swf";>
(which redirects to http://cartoes.terra.com.br/datas/amor.swf )
than trys to load a binary:
ref="htt
21 matches
Mail list logo
