We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
On Wed, October 28, 2015 6:55 am, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
Just a word of advise to everybody: stay away from Kaspersky (unless you want to submit to KGB). Do your own homework (web search, etc) and keep in mind what everybody says: there is no retirement from secret services (KGB, CIA, MI5, NSA, ...) other than dead, feet first dead.
I guess I see everywhere the confirmation of the saddest history lesson that people never learn history lessons ;-(
Valeri
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hi,
Take look of http://www.cuckoosandbox.org
-- Eero
2015-10-28 13:55 GMT+02:00 Gary Stainburn gary@ringways.co.uk:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
and https://github.com/xme/cuckoomx
-- Eero
2015-10-28 16:59 GMT+02:00 Eero Volotinen eero.volotinen@iki.fi:
Hi,
Take look of http://www.cuckoosandbox.org
-- Eero
2015-10-28 13:55 GMT+02:00 Gary Stainburn gary@ringways.co.uk:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I've had a look at this and
a) it looks a little like over-kill for what I want, b) I haven't a clue how to use it in my EXIM environment c) from the VERY quick look I've taken I don't see how to use it to detect macros in office documents.
I think I'm going to forget about the macros, and just assume that if the document is empty, it's a virus
On Wednesday 28 October 2015 14:59:32 Eero Volotinen wrote:
Hi,
Take look of http://www.cuckoosandbox.org
-- Eero
2015-10-28 13:55 GMT+02:00 Gary Stainburn gary@ringways.co.uk:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
Are you able to post some examples to pastebin?
On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?
I have come to the conculsiion that I am just going to have to stick with detecting empty documents and forget the macro checks.
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how to do this. All I have done in the past is add small pattern matching rules to local.cf
Another rule I would like to add to Spamassassin is to catch emails where the subject starts with the email local part in brackets as we get a LOT of those too.
Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
On 29/10/15 10:51, Gary Stainburn wrote:
On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?
I have come to the conculsiion that I am just going to have to stick with detecting empty documents and forget the macro checks.
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how to do this. All I have done in the past is add small pattern matching rules to local.cf
That's a great place to start. Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4 factors specific to these spam (the more unique the better), combining them usually gives excellent results. For example, they all contain a doc,docx,xls,xlsx attachment, they all contain a specific phrase or something unique in the Subject, maybe they all contain a URL or email address in the body etc. Individually the rules might not be particularly good indicators of spam, but when combined together they may become highly effective.
This might not be the best forum to discuss in detail; the SpamAssassin mailing list is a great place to get help with writing rules.
Another rule I would like to add to Spamassassin is to catch emails where the subject starts with the email local part in brackets as we get a LOT of those too.
Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
Sorry, I meant examples of the emails (including the full headers, redacted where necessary), not the attachments. We might be able to point you in the right direction or offer a few thoughts on how to detect them in SpamAssassin.
On Thu, 2015-10-29 at 20:37 +0000, Ned Slider wrote:
Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4 factors specific to these spam (the more unique the better), combining them usually gives excellent results.
Yep.
In Exim I score 1 for sending IP address having no reverse DNS (IP > Name > the same IP address) I score 1 for HELO/EHLO not resolving to the sending IP address I score 1 for a non-existent email address
3 = IP blocked for several months ***before*** downloading the email's body.
2 = Gets connection rejected ***before*** downloading the email's body.
+++
Never accept email from home user's domain names like (here is just a few)
*airtelbroadband.in *adsl.alicedsl.de *dynamic.se.alltele.net *alshamil.net.ae *adsl.anteldata.net.uy *aphie.info *pools.arcor-ip.net *static.arcor-ip.net *as9105.com *as13285.net *as43234.net
Don't be an idle victim of mail abuse. Fight back hard.
On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
On 29/10/15 10:51, Gary Stainburn wrote:
On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?
I have come to the conculsiion that I am just going to have to stick with detecting empty documents and forget the macro checks.
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how to do this. All I have done in the past is add small pattern matching rules to local.cf
That's a great place to start. Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4 factors specific to these spam (the more unique the better), combining them usually gives excellent results. For example, they all contain a doc,docx,xls,xlsx attachment, they all contain a specific phrase or something unique in the Subject, maybe they all contain a URL or email address in the body etc. Individually the rules might not be particularly good indicators of spam, but when combined together they may become highly effective.
The big problem is that the emails are vastly different in content, and are send by distributed computers. That's why I went down the document content checking in the first place. The empty office document is the only obvious common factor.
This might not be the best forum to discuss in detail; the SpamAssassin mailing list is a great place to get help with writing rules.
As I've had to implement a malware = * to call my new script it has given me the chance to inplement checks that I have never been able to manage in Spamassassin. No doubt they are possible, but I've not managed them.
I now have access to the whole email in PERL and MIME::Parser so can do lots of other checking.
Another rule I would like to add to Spamassassin is to catch emails where the subject starts with the email local part in brackets as we get a LOT of those too.
This is one of the checks I can now do in my perl script.
Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
Sorry, I meant examples of the emails (including the full headers, redacted where necessary), not the attachments. We might be able to point you in the right direction or offer a few thoughts on how to detect them in SpamAssassin.
Unfortunately, I've only got this one as an example. I didn't keep any of the previous ones, and hopefully any new ones will never get through.
http://www.stainburn.com/virus_files/Purchase.mbox
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
How about scanning files using virustotal?
https://github.com/Gawen/virustotal
-- Eero
2015-10-30 12:58 GMT+02:00 Gary Stainburn gary@ringways.co.uk:
On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
On 29/10/15 10:51, Gary Stainburn wrote:
On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC
documents
with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I
need
to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc
and
docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be
relatively
easy to detect these. I assume empty attachments are not normal in
your
mail flows?
I have come to the conculsiion that I am just going to have to stick
with
detecting empty documents and forget the macro checks.
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how to do this. All I have done in the past is add small pattern matching rules to local.cf
That's a great place to start. Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4 factors specific to these spam (the more unique the better), combining them usually gives excellent results. For example, they all contain a doc,docx,xls,xlsx attachment, they all contain a specific phrase or something unique in the Subject, maybe they all contain a URL or email address in the body etc. Individually the rules might not be particularly good indicators of spam, but when combined together they may become highly effective.
The big problem is that the emails are vastly different in content, and are send by distributed computers. That's why I went down the document content checking in the first place. The empty office document is the only obvious common factor.
This might not be the best forum to discuss in detail; the SpamAssassin mailing list is a great place to get help with writing rules.
As I've had to implement a malware = * to call my new script it has given me the chance to inplement checks that I have never been able to manage in Spamassassin. No doubt they are possible, but I've not managed them.
I now have access to the whole email in PERL and MIME::Parser so can do lots of other checking.
Another rule I would like to add to Spamassassin is to catch emails
where
the subject starts with the email local part in brackets as we get a
LOT
of those too.
This is one of the checks I can now do in my perl script.
Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
Sorry, I meant examples of the emails (including the full headers, redacted where necessary), not the attachments. We might be able to point you in the right direction or offer a few thoughts on how to detect them in SpamAssassin.
Unfortunately, I've only got this one as an example. I didn't keep any of the previous ones, and hopefully any new ones will never get through.
http://www.stainburn.com/virus_files/Purchase.mbox
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Gary Stainburn Group I.T. Manager Ringways Garages http://www.ringways.co.uk _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Always Learning -
Eero Volotinen -
Gary Stainburn -
Ned Slider -
Valeri Galtsev