Atomicorp

We have been seeing huge numbers of "remittance advice" emails containing boobytrapped documents sailing past clamav (and obviously also spamassassin and spamdyke).

They also seem to frequently elude the AV on client PCs.

Has anybody had any luck mitigating this issue? Any tips?


Edit: also "your energy bill" type emails with similar booby-trapped documents (and I hear there's also something similar regarding water bills or water air or something like that though I've not seen these on our systems).


Faris.

Could you send us some of these for our malware team to examine?

OK. I only have one handy at the moment. I'll zip it and raise a case.

OK. Case 40372 contains the one I have handy.

I'll add more as they come in.

Faris.

Another thought I had on this, are those emails coming from IP's we might already track in the Threat Intelligence system?

You can look them up here: http://atomicrbl.com/lookup/

The T.I. is implemented as an RBL, and while we've never tried this in an anti-spam context, theres nothing that would prevent you from using it that way.

None of them are in the TI RBL, although three of the five samples I submitted came from IPs that had been seen (once each) mid-December by the TI system.

Another interesting thing about them is that they come from IP listed as static, not dynamic ranges. So spamdyke is letting them in. They don't appear on any anti-spam RBLs I use (the bigger ones).

Any luck with this? Was what I was able to give you useful enough to work with?

New heuristics rules added and pushed today for this type.