On Wed, 13 Jul 2016, Chip M. wrote:
P.P.S. Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?
That's very likely an attempt to bypass "double-extension" filter checks
that
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa
Alex, thanks for the spa
On 2016-06-08 23:23, Alex wrote:
http://pastebin.com/ALsSAmwa
this sample can be reported to dnswl
Meanwhile, there is RTF spam that's circulating which is currently
bypassing the sanesecurity sigs. I've just submitted a sample to
Steve, but the db hasn't yet been updated. Here's a sample:
http://pastebin.com/ALsSAmwa
The pattern to temporarily stop them involves a meta with
__DOC_ATTACH_MT an
On 08/06/16 21:39, Paul Stead wrote:
BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*
Should point out that this may be prone to false positives. The Sane sigs are
scored low, med, high FP risk and can be installed as such.
--
Paul Stead
Systems Engineer
Zen Internet
On 08/06/16 20:59, Chip M. wrote:
I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_
block on ".js" file extension, whereas you/Dianne do:
More relevant for the ClamAV/Sanesecurity list, hope this isn't looked down
upon.
I'm not sure if Steve is on the lis
.ocx
> .tsp
> I verified that all of those actually occur and are executable
> on a Windows7 machine.
--
View this message in context:
http://spamassassin.1065346.n5.nabble.com/SA-cannot-block-messages-with-attached-zip-tp120785p121205.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files. While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
I've switched from AVG File Server to ClamWin + Sanesecurity, Now It seems
ok,
I have to examine for false negatives, maybe I need to exclude some
signatures.
Here are the results for 9 hours of Sanesecurity:
Passed msg: 912
Viruses detected: 446
Spam msg: 5523
AVG File Server was really really b
On 21 May 2016, at 12:31, Dianne Skoll wrote:
On Sat, 21 May 2016 12:28:48 -0400
"Bill Cole" wrote:
On 20 May 2016, at 7:07, Dianne Skoll wrote:
Sorry for the non-easy answer. Doing it properly requires a
non-trivial amount of coding.
I do not recall doing any real coding at all to get
and BTW a mail from a machine listed at "pbl.spamhaus.org"
(https://www.spamhaus.org/pbl/) should not make it to your content
filters at all - so it appears that most people in this thread which
face a high number of this problems don't setup their MTA proper
no way that the sample mail make
Am 23.05.2016 um 15:24 schrieb Emin Akbulut:
AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.
My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.
In the message with Zip attachment
AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.
My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.
In the message with Zip attachment includes javascipt files contains no url
in the b
On 22/05/16 02:10, @lbutlr wrote:
Sure, there are 4 foxhole ones, but there are dozens on the main page there.
The following code allows for easy config and download of the signatures you
want.
https://github.com/extremeshok/clamav-unofficial-sigs
By default this will download and test the l
On May 21, 2016, at 1:18 PM, Reindl Harald wrote:
> Am 21.05.2016 um 21:16 schrieb @lbutlr:
>> On May 20, 2016, at 6:11 AM, Reindl Harald wrote:
>>> no it is not, look at the sanesecurity foxhole signatures
>>> http://sanesecurity.com/usage/signatures/
>>
>> I have looked at those, but there are
Am 21.05.2016 um 21:16 schrieb @lbutlr:
On May 20, 2016, at 6:11 AM, Reindl Harald wrote:
no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/
I have looked at those, but there are so many it’s kind of overwhelming on
where to start
4 is man
On May 20, 2016, at 6:11 AM, Reindl Harald wrote:
> no it is not, look at the sanesecurity foxhole signatures
> http://sanesecurity.com/usage/signatures/
I have looked at those, but there are so many it’s kind of overwhelming on
where to start.
--
NO. I CANNOT BE BIDDEN. I CANNOT BE FORCED. I
On Sat, 21 May 2016 12:28:48 -0400
"Bill Cole" wrote:
> On 20 May 2016, at 7:07, Dianne Skoll wrote:
> > Sorry for the non-easy answer. Doing it properly requires a
> > non-trivial amount of coding.
> I do not recall doing any real coding at all to get a steady trickle
> of log messages like t
On 20 May 2016, at 7:07, Dianne Skoll wrote:
Sorry for the non-easy answer. Doing it properly requires a
non-trivial
amount of coding.
I do not recall doing any real coding at all to get a steady trickle of
log messages like this (regarding mail NOT from Amazon):
May 4 01:30:05 bigsky mi
On Fri, 20 May 2016 17:47:09 -0500 (CDT)
David B Funk wrote:
> > We do it the hard way. We list the contents of attached archives
> > (using "lsar") and have filename-extension rules that block .js
> > inside .zip files. While this can lead to some FPs, which we handle
> > with selective whitel
On Fri, 20 May 2016, Dianne Skoll wrote:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you suggest to fight these spams?
ClamAV is basically useless.
We do it the hard way. We list the contents of attached archives
(using "lsar") and have filename-extension rules that blo
__
From: Rick Macdougall
Sent: Friday, May 20, 2016 7:50:46 AM
To: users@spamassassin.apache.org
Subject: Re: SA cannot block messages with attached zip
On 2016-05-20 10:36 AM, Paul Stead wrote:
> Second, the foxhole_js database is what you're looking for
>
> Paul
>
> On
Am 20.05.2016 um 17:29 schrieb Chip M.:
P.S. As of about 1700 UTC yesterday, I'm seeing significant
volume of zipped macro-encrusted "doc" files
/etc/clamd.d/scan.conf:
ScanOLE2 yes
OLE2BlockMacros yes
signature.asc
Description: OpenPGP digital signature
At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js
>inside .zip files.
+1
We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".
Am 20.05.2016 um 17:11 schrieb Rick Macdougall:
On 2016-05-20 11:00 AM, Reindl Harald wrote:
Am 20.05.2016 um 16:50 schrieb Rick Macdougall:
On 2016-05-20 10:36 AM, Paul Stead wrote:
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
On 2016-05-20 11:00 AM, Reindl Harald wrote:
Am 20.05.2016 um 16:50 schrieb Rick Macdougall:
On 2016-05-20 10:36 AM, Paul Stead wrote:
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On
On Fri, 20 May 2016 15:00:55 +
David Jones wrote:
> >From: Dianne Skoll
> >ClamAV is basically useless.
> ClamAV helps a little with the unofficial sigatures.
The operative word here is "a little".
I find that the unofficial signatures that are good at actually catching
bad stuff have extr
>From: Dianne Skoll
>Sent: Friday, May 20, 2016 6:07 AM
>To: users@spamassassin.apache.org
>Subject: Re: SA cannot block messages with attached zip
>On Fri, 20 May 2016 09:31:48 +0300
>Emin Akbulut wrote:
>> What do you suggest to fight these spams?
>ClamAV is basic
Am 20.05.2016 um 16:50 schrieb Rick Macdougall:
On 2016-05-20 10:36 AM, Paul Stead wrote:
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut
On 2016-05-20 10:36 AM, Paul Stead wrote:
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you suggest to fight these spams?
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you suggest to fight these spams?
ClamAV is basically useless
no it is no
Am 20.05.2016 um 16:20 schrieb Kris Deugau:
Emin Akbulut wrote:
I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.
Then same kind of spam messages appear with the score of lesser than 2
Emin Akbulut wrote:
> I tried to train SA with tons of spam messages which contains zip file
> (includes .js)
> The max spam score was lesser than 5 so I did set 4 to delete messsages.
>
> Then same kind of spam messages appear with the score of lesser than 2.
>
> In short; training the SA seems
I hitched a ride in this thread and I appreciate the tip of the foxhole
and clamav!
I was also having problems here! solved now.
On 20-05-2016 09:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you sugges
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you suggest to fight these spams?
ClamAV is basically useless
no it is not, look at the sanesecurity foxhole signatures
http://sanesecurity.com/usage/signatures/
signature.asc
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
> What do you suggest to fight these spams?
ClamAV is basically useless.
We do it the hard way. We list the contents of attached archives
(using "lsar") and have filename-extension rules that block .js
inside .zip files. While this can le
Am 20.05.2016 um 11:40 schrieb @lbutlr:
On May 20, 2016, at 2:46 AM, Reindl Harald wrote:
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
[long list]
What do you set postscreen_dnsbl_threshold to?
8
signature.asc
Description: OpenPGP digital signature
On May 20, 2016, at 2:46 AM, Reindl Harald wrote:
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
[long list]
What do you set postscreen_dnsbl_threshold to?
--
"Give a man a fire and he's warm for a day, but set fire to him an he's
warm for the rest of his life."
Am 20.05.2016 um 10:32 schrieb Reindl Harald:
Am 20.05.2016 um 08:31 schrieb Emin Akbulut:
I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.
Then same kind of spam messages appear with
Am 20.05.2016 um 08:31 schrieb Emin Akbulut:
I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.
Then same kind of spam messages appear with the score of lesser than 2.
In short; trainin
I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.
Then same kind of spam messages appear with the score of lesser than 2.
In short; training the SA seems not helpful.
What do you suggest
41 matches
Mail list logo
