Re: Spoofed Domain

Wed, 10 Aug 2016 08:53:00 -0700

DFS wrote some more about this technique (with code!) on the MD mailing list, if you search their archives. 

On 8/10/2016 9:40 AM, Ruga wrote:

thank you for teasing us...

Sent from ProtonMail Mobile
On Wed, Aug 10, 2016 at 3:36 PM, Larry Starr <'lar...@fullcompass.com'> wrote: 

That is what I'm doing here.
Rather than attempting that with SA, I wrote a MimeDefang routine to interrogate the "Magic" number of any office document, blocking all macro enabled documents, and any document that was renamed so that the Magic number does not match the extension ( I don't care if these are Macro enabled or not, there is no legitimate reason to rename them ). 

On Wednesday, August 10, 2016 09:31:21 Joe Quinn wrote:
That's a very good warning indeed! Perhaps blocking .doc files with a zip-like file structure is in order? I can't think of a legitimate reason to use the old extension on the new file format. 

On 8/10/2016 9:28 AM, Larry Starr wrote:

On Tuesday, August 09, 2016 18:01:57 Rob McEwen wrote:

> On 8/9/2016 5:56 PM, Anthony Hoppe wrote:

> > Here are the headers as an example:

> > http://pastebin.com/bnU0npLR
> > This particular email has a macro-enabled Word document attached, but I 

> > don't want to assume this will be the case every time.

> > Any tips/tricks/suggestions would be greatly appreciated!

>

> I think there is a trend now... towards blocking ALL .docm files (if

> not, there should be!). I think it is EXTREMELY rare for normal human

> beings to send Word documents in that particularly dangerous format.

> Most would be send in .doc or .docx format.

>

> I'm not sure if there is already a SA rule for scoring against .docm

> files attachments? Perhaps someone else could help you with that.
Just a short warning, although word will not open a .docm that is renamed to .docx, it will open a .docm renamed to .doc. 

I found this the hard way!
It is necessary, if you wish to be safe from macro enabled documents to verify that the file is what the attachment's extension claims to be. 

--

Larry Starr

Software Engineer

Full Compass Systems

9770 Silicon Prairie Pkwy

Madison, WI 53593-8442

P: 608-831-7330 x1347

F: 608-831-6330

E: lar...@fullcompass.com <mailto:lar...@fullcompass.com>




--

Larry Starr

Software Engineer

Full Compass Systems

9770 Silicon Prairie Pkwy

Madison, WI 53593-8442

P: 608-831-7330 x1347

F: 608-831-6330

E: lar...@fullcompass.com

Reply via email to