Filtering/blocking attachment via filename

D

daweb

New Member
Apr 24, 2022
5
1
3
Hi,

receiving a lot of gmail SPAM with a pdf attachment like "Your__transfer__0.75146__Bgh65sdJ4321sju42H75bFh.pdf" I tried to set up a custom rule to quarantine such mails

full PDF /\w*[_][\d]{1,6}\.pdf
score PDF 99
describe PDF attached trojan

but it is not working. Could someone help me please?

Thx
 

Attachments

  • SPAM.jpg
    SPAM.jpg
    87.7 KB · Views: 11
Last edited:
  • Like
Reactions: utkonos
I have seen a ton of these as well. I have a YARA rule that will match the PDF itself, but I don't yet have a way to use YARA rules with PMG (I am working on this, but not ready yet). In the mean time, here is a regex that I just wrote that will help you. Also, I don't think you need to create anything custom at the SpamAssassin rule level for this. I created a "What Object" with the following regex populating a "Match Filename" entry in the object. That then can be added to a rule in the PMG rule set.


(?i)^Your.{0,3}transfer.{0,10}BTC[A-Za-z0-9]{1,80}\.pdf

I will explain the parts:
Set case insentitive:
(?i)
Match start of string:
^
Match any character zero to three times:
.{0,3}
Match any character zero to ten times:
.{0,10}
Match alphanumeric 1 to 80 times:
[A-Za-z0-9]{1,80}
Escape "." for file extension:
\.

Here is the testing results from my regex tester, Patterns:
image.png
The data set that I used for testing are from the most recent files on VirusTotal that match this campaign and my YARA rule:
1683398238683.png

Here's what the regex looks like on PMG after a successful test:
1683398295990.png
 
Last edited:
The filename has changed.

Bitcoin_Balance_0.7495_BTCiwvtjTHGmKKEQBnqP39x4H8YsWoRDoQelwRxaz91Je.pdf

Here is a new regex:

Code: 
(?i)^(?:(?:Your.{0,3}transfer)|(?:Bitcoin.{0,3}Balance)).{0,10}BTC[A-Za-z0-9]{1,80}\.pdf

This is one reason why it is a better idea to be able to use a YARA rule to match features of the PDF file itself rather than trying to keep up with the filename. File features are higher up the Pyramid of Pain and filenames are lower down.

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
 
Hi,
thx for your answer. So I'm not alone which such bulk mail. I saw that they changed the filename again in:

Money__transfer__0.4125__Bitcoin.........

I also have a custom rule:

mimeheader PDF Content-Type =~ /Your__transfer__|Your_transfer_|Your__balance__|Your_balance_|Money__transfer__|Money_transfer_/i
describe PDF email contains an infected pdf file attachment
score PDF 5.0

But I think it is easier to change the regex
 
daweb said:
Hi,
thx for your answer. So I'm not alone which such bulk mail. I saw that they changed the filename again in:

Money__transfer__0.4125__Bitcoin.........

I also have a custom rule:

mimeheader PDF Content-Type =~ /Your__transfer__|Your_transfer_|Your__balance__|Your_balance_|Money__transfer__|Money_transfer_/i
describe PDF email contains an infected pdf file attachment
score PDF 5.0

But I think it is easier to change the regex
Click to expand...
Changing the regex and keeping up with a filename is a sisyphean task. If you want to block this in a more effective manner using the tools available, I would suggest using a ClamAV rule rather than SpamAssassin. My YARA rule for matching the PDF is in effect the same as a ClamAV rule, but there is no facility for using YARA rules in PMG right now.
 
Hi utkonos,

the regex (?i)^(?:(?:Your.{0,3}transfer)|(?:Bitcoin.{0,3}Balance)).{0,10}BTC[A-Za-z0-9]{1,80}\.pdf is not working here. It did not filter out those emails...
 
Yes, that's probably so. This adversary changes the name enough that blocking based on the name is not a good way to do it. But blocking based on the content in the PDF is a great way to block these attacks. I don't have a ClamAV rule for content at this time (only YARA). Best of luck keeping up with the filename, however.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom