On Tue, Oct 31, 2017, David Jones <djo...@ena.com> wrote:
>Add the Lashback RBL. I am trying to get this added to the default SA
>rules. See my post on 2017-10-17 in the following link and increase the
>scores after some testing.
David, after your Lashback post, I had added it to my FP pipeline
(i.e. run from the desktop, NOT real-time) for evaluation, however
I had made a minor setup mistake.
Thanks for the reminder that prompted me to check and fix that. :)
If that proves useful, I'll add it to my post-gateway real-time
stack.
Thanks for your other suggestions. :)
Benny:
Thanks for the clamav submission page, however it did not work with
my browser (after NIMDA, I turned "off" all the whizbang security
nightmare stuff). :(
You or anyone else is welcome to submit it there or anywhere. :)
"Rupert":
That was one of 30 that passed gateway RBL testing and
(plain vanilla) ClamAV.
It was _NOT_ "addressed to someone-else".
If you do a bit of DNS analysis on the Received headers, it will be
clearer.
You are correct that it failed SPF. :)
I checked all the others, and they too failed, which is somewhat
unusual.
*** All:
*** Clarification: 100% of these are being caught by my filters.
I posted to share a live sample, since there's lots of technical
analysis articles but I have not yet seen complete samples of all
the file vectors that are possible.
I'm mainly interested in insights into CONTENT based rules,
and more diverse samples. :)
For example, after the first wave of news, I added a word match rule
for "DDEAUTO", which has _NOT_ yet triggered. That does trigger if
I change it to a gappy-word rule, after de-tagging these XML pairs:
<w:instrText>DDE</w:instrText>
<w:instrText>AUTO</w:instrText>
I had not expected that.
I particularly want to see an .ics sample.
Has anybody else seen much/any DDE attack variants?
- "Chip"
