[clamav-users] Matching variant patterns in logical or Yara signatures

[Kris Deugau]

G.W. Haywood wrote:
> Hi there,
> 
> On Tue, 16 Jan 2018, Kris Deugau wrote:
> 
>> I'm trying to create signatures to match a particular series of
>> large to very large spams whose main identifier is a <style> or
>> <script> tag containing neither CSS or Javascript.
>>
>> However, I'm having trouble finding a valid signature string ...
> 
> I wonder if it would be easier to filter the sender(s) rather than to
> filter the messages.  I use GeoIP and a homebrew Sendmail milter very
> successfully, and I never see the sort of spam you describe.  Can you
> share with this list some of the IP addresses from which the messages
> are being sent?  A couple of dozen would be a good start I think.

"All over the place".

Received: from propet.ouruntain.com (propet.ouruntain.com [162.144.50.141])
Received: from ohours.healtspa.net (unknown [180.149.247.22]) by
Received: from obesrum.net (obesrum.net [37.48.119.162]) by mx1.vianet.ca
Received: from promt.easyuest.net (promt.easyuest.net [54.36.251.80]) by
Received: from smpx.infcket.com (smpx.infcket.com [209.94.191.189]) by
Received: from [81.171.28.52] (helo=vedla.renthant.net) by
Received: from frisplay.net (frisplay.net [103.214.147.215]) by 
mx2.vianet.ca
Received: from yoyita.shallenge.net (yoyita.shallenge.net [92.48.86.80]) by
Received: from firsia.net (firsia.net [103.214.147.181]) by mx2.vianet.ca
Received: from yoyita.ouruntain.com (yoyita.ouruntain.com [142.4.9.60]) by
Received: from redha.direghting.com (redha.direghting.com [69.64.48.56]) by
Received: from perie.awesomder.net ([62.210.10.113]) by
Received: from khabhi.smoothving.com (khabhi.smoothving.com 
[95.211.175.208])
Received: from [162.144.157.215] (helo=purplebin.net) by
Received: from udg.karft.net (unknown [178.132.3.63]) by mx1.vianet.ca
Received: from starz.virtualree.net ([149.56.84.30]) by
Received: from umrp.exceama.net ([88.198.194.76]) by

We only hard block on Spamhaus hits and a handful of sender addresses; 
our experience with seeing other providers' variously more aggressive IP 
blocking result in blocked legitimate mail has left us disinclined to do 
the same.

I feed the IPs to a local DNSBL, but it's only used as a scored result 
in SpamAssassin;  we don't get enough volume in the process (and 
occasionally mis-list something that shouldn't have been) to reliably 
reject mail outright on it.

We also don't see these broadly over our user base (I don't see any to 
my staff account or any of the aliases it's in, nor to anything directed 
to my personal account on my own server), but they're regularly reported 
by a couple of customers.

-kgd