The sorts of email attachments that we get these days have become boring

August 31, 2019

In the past, I've written various entries about odd email attachment types that we've seen, such as the .ace that was actually a zip archive, the extravagant malware, and the zip attachment with everything. I haven't written any lately, and there's a reason for that. I still keep an eye on the logs for our system for logging this information and on what viruses and malware we reject, but for quite a while there just hasn't been anything all that interesting in either. It seems that the malware that's hitting our users has given up on being inventive and is just going for the same old standards.

On the one hand, this is good, because I was getting tired of finding and blocking yet more Windows file types and extensions that were used for evil. I'm sure there are more out there, but we now seem to have gotten everything that's mailing our users. Well, everything that we can readily recognize in our email attachment type scanning, and that's the bad side. Our commercial anti-spam system keeps rejecting the same old sorts of malware in the same attachment types, and what that really means is that we don't have any way to recognize and screen them out outside of its magic. Given that it reports them as generic sounding things like 'CXmail/MalPE-AC' (which we've seen in interesting messages), it seems likely that there is some generic badness that we're just not recognizing.

Certainly some of what the commercial anti-spam system recognizes is .rar files that our regular RAR archive content listing can't list. This suggests that there's probably recognizable bad stuff in there that we'd reject if we could see it, perhaps even straightforward things like .exe files. We currently use the Python rarfile module for this, but our version is older than the currently available one. Probably I should by trying the latest version and seeing if that improves things. In general, perhaps I should spent some time seeing if there's a good way for us to do things like scan inside .doc files to look for clear bad stuff.

(Of course first I'd have to learn what sorts of bad stuff gets put in .doc files.)

Written on 31 August 2019.
« ZFS is not a universal filesystem that is always good for all workloads
Some limitations of wifi MAC address randomization »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 31 23:38:19 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.