On 07/24/2017 05:00 PM, Alex wrote:
Hi,
We're currently experiencing a new spam campaign that involves some
text pertaining to invoicing then a link that immediately downloads a
Word macro file.
http://sdeflores.com/PHJC579907/
What would be involved in following these links in SA to determine if
they immediately download a file (other than a web page)? Would that
even be a reliable indicator?
This isn't the first time I've seen such an approach.
This one's probably already on some blacklists, but I'm still blocking others:
https://pastebin.com/p7EnFNf7
Thanks,
Alex
Bump up your RCVD_IN_SENDERSCORE_60_69 to 2.2 like I have in my
environment and this would have been blocked.
Running it through my SA hit BAYES_50 with 0.8 points which also gave it
a little higher overall score. Perhaps better spam training would be
helpful. Consider setting up masscheck processing which could also help
with ham/spam classification for Bayes training making it a higher
priority like it did for me.
I would also check my mail logs and put a REJECT in the MTA configs for
ahf-group.de if all else fails. This is not common but sometimes I find
problem domains that send from servers that never make it onto RBLs or DBLs.
--
Dave
