Hugo van der Kooij
hvdkooij at vanderkooij.org
Sun Aug 24 21:40:14 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Julian Field wrote:
> Hugo van der Kooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Steve Freegard wrote:
>>> Hi Hugo,
>>> Hugo van der Kooij wrote:
>>>> My aim is to write a custom function to detect links to executables and
>>>> such and mark then with some points. Then take it one level up and
>>>> pickup the samples for further analyses before they are taken offline
>>>> The first bit can be done with just few lines in SA just as well.
>>>> It is
>>>> the second part that will help me get malware samples as soon as
>>>> possible that can not be done in SA.
>>> I don't think you'd need a CustomFunction for either part of this - you
>>> can do it all within SA and the latest version of MailScanner.
>>> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
>>> score TRAP_LINK_EXEC 0.01
>>> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
>>> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
>>> SpamAssassin Rule Actions =
>> That will store the URL but by the time I can look at that URL to fetch
>> the file the infected system might be cleaned out allready. So I need to
>> automate this a bit further.
> How about a cron job that runs every few minutes, which does something
> like this:
> if [ \! -f /tmp/MS.last.checked ]; then
> :> /tmp/MS.last.checked
> find /var/spool/MailScanner/evidence -type f -cnewer
> /tmp/MS.last.checked -print | xargs echo "New files are"
> touch /tmp/MS.last.checked
> This will print out "New files are" every time any new files are found
> under the evidence directory structure, which you could change to mail
> you an alert about them, for example, or do something like pull out
> information from Received: headers to see where the files came from, or
> Run this script every few minutes, and it will send you mail every time
> something new is generated.
> Just a starting point, but hopefully you get the idea.
I get the idea. But the point is the message contains just something like:
<DIV align=3Dcenter><IMG alt=3D"" hspace=3D0=20
border=3D0></DIV><DIV><FONT face=3DArial =
align=3Dcenter><FONT face=3DArial size=3D5><A=20
However the exe file actually linked here will be there for only a short
while in most cases. And I am not working 24/7 just to get a few samples
if I can automate it. I have seen the missing in less then 5 minutes.
The main reason I want to get this in MailScanner and not in SA is
because things will change. And I might want to employ other tricks in
there to stop spam which may require tricks one can not do in SA.
Mind you that they are allready playing with using partial encoding of
normal ascii characters.
Once the upgrade nightmare has a solution the use of the
GenericSpamScanner is something I will explore further.
After all it was intended to include other methods of spam checking
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the MailScanner