Re: New Spam Technique

["Micheal Espinola Jr" <michealespinola () gmail com>]

How I block it with ASSP (Anti-Spam Smtp Proxy):

1.)  99.9%+ are blocked by detecting "residential" qualities in the
HELO used in the SMTP session and the PTR in DNS of the connecting IP
- thus the attachment is blocked before the body is ever sent - saving
time/processing/bandwidth/etc.

2.) ASSP can use ClamAV for virus scanning.  Sanesecurity has
definitions for ClamAV specifically for detecting various file
attachment phishing attempts:

  http://www.sanesecurity.co.uk/clamav/

3.)  I block .PDF's from unknown (non-whitelisted senders).

ASSP:

  http://www.asspsmtp.org/wiki/


On 7/23/07, Wheeler, Eric <EWheeler2 () zebra com> wrote:
> I was trying to think of a way to block this but its rather difficult
> when the email + the subject line + the attachment + the attachment
> contents are different every time
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Banyan He
> Sent: Saturday, July 21, 2007 9:41 AM
> To: WALI
> Cc: tony barry; Security Basics Forum
> Subject: Re: New Spam Technique
>
> Bad news, that pdf attachment contains the advertisement or the image.
> Actually, there is no appliance works on this perfectly. The pdf size
> should be big or small.
>
> WALI wrote:
> > Read, the nuances of catching pdf spam:
> >
> > http://www.techworld.com/security/news/index.cfm?newsid=9031
> >
> > ----- Original Message ----- From: "tony barry" <tony () no-bull co nz>
> > To: "Security Basics Forum" <security-basics () securityfocus com>
> > Sent: Thursday, July 19, 2007 11:04 PM
> > Subject: New Spam Technique
> >
> >
> >> Hi List,
> >>
> >> We operate several mail servers with catch all accounts and have
> noticed
> >> a lot of Mailer Daemon 'delivery failed messages mails from genuine
> >> sites (mostly German)arriving recently. It would seem the spammers
> are
> >> sending out e-mails with a PDF attachment and a forged senders
> address
> >> to bogus recipients at these organizations whose mail server rejects
> the
> >> message and sends notification to the forged sender. We have opened
> one
> >> attachment on an isolated machine and it was one of the 'watch these
> >> stocks they're going through the roof messages (not exactly sure of
> the
> >> details as my German is a bit rusty). My concern is that there could
> be
> >> a 'payload' embedded in the PDF. Is this possible?
> >>
> >>
> >> --
> >> The Simple Server Company
> >> PO Box 51528 Pakuranga
> >> Auckland
> >>
> >> 021 413642  09 5768552
> >>
> >> http://www.simpleserverco.com
> >>
> >> This e-mail and any attached files transmitted with it are
> confidential
> >> and intended solely for the use of the addressees. If you have
> recieved
> >> this e-mail in error please inform the sender by sending a reply and
> >> delete this message.
> >
> >
>
> --
> ---------------
> Banyan He
> Email&Web Security
> MSN: banyan.he () hotmail com
> Skype: banyan.he
> Email: banyan () rootong com
> http://www.rootong.com
>
> - CONFIDENTIAL-
> This email and any files transmitted with it are confidential, and may also be legally privileged.  If you are not the 
> intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, 
> please notify the sender immediately by reply email and then delete this email.


--
ME2