On Mon, 20 Sep 2010, Chip M. wrote:
On 19 Sep 2010, John Hardin wrote:
Adding to my sandbox for masscheck:
rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
It performs pretty well. It should be in the next rules update, under a
slightly different name (OBFU_JVSCR_ESC
On 19 Sep 2010, John Hardin wrote:
>> Adding to my sandbox for masscheck:
>>
>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>
>It performs pretty well. It should be in the next rules update, under a
>slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about com
On Fri, 17 Sep 2010, John Hardin wrote:
On Fri, 17 Sep 2010, Joseph Brennan wrote:
> On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote
> > 1) From yahoo.com
> > 2) Have a HTML attachment
> > 3) Are base64 encoded
The html includes something like this, inside a comment. It's really
On Fri, 17 Sep 2010, Joseph Brennan wrote:
On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote
> 1) From yahoo.com
> 2) Have a HTML attachment
> 3) Are base64 encoded
The html includes something like this, inside a comment. It's really
over a hundred escaped characters:
document.write(u
On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote
1) From yahoo.com
2) Have a HTML attachment
3) Are base64 encoded
The html includes something like this, inside a comment. It's really
over a hundred escaped characters:
document.write(unescape("%3C%53%43%52%49%50%54%20%4C
and I think
On Sep 17, 2010, at 2:27 PM, Joseph Brennan wrote:
> They're not really from Yahoo. No DKIM, no Newman property. That's
> a fake header.
Looks like I missed the real header.
All the better I guess though. Makes catching these even easier.
Chris
--
--
--On Thursday, September 16, 2010 17:30 -0500 Chris Owen
wrote:
We're seeing a lot of what I assume are exploit files coming from
yahoo.com.
They are all base64 encoded HTML attachments with a bunch of javascript
in them.
http://pastebin.com/ZSmW0kwW
They're not really from Yahoo. No
On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote
1) From yahoo.com
2) Have a HTML attachment
3) Are base64 encoded
My question is how important is #1.
check dkim if its signed by yahoo there is better chances thay listing :)
I'd think a HTML attachment is a little unusual period but how
c
