[clamav-users] Matching variant patterns in logical or Yara signatures

G.W. Haywood clamav at jubileegroup.co.uk
Thu Jan 18 17:05:53 UTC 2018


Hello again,

On Wed, 17 Jan 2018, Kris Deugau wrote:

> "All over the place".
> ...
> ... hard block on Spamhaus hits and a handful of sender addresses;
> ... more aggressive IP blocking result in blocked legitimate mail
> ... local DNSBL, but ... we don't get enough volume ... also don't
> see these broadly over our user base ... but they're regularly
> reported by a couple of customers.

All very interesting.  None of these would have made it through here,
based on the dig results below alone.  So I don't think these would
present any problem for us.  But the homebrew milter the I mentioned
might be looking at things that some other mail systems don't.  You
might be interested in the SOA records. :)

$ dig -t soa ouruntain.com
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa obesrum.net
... 106621	IN	SOA	ns1.dnsowl.com. hostmaster.dnsowl.com ...
$ dig -t soa easyuest.net
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa infcket.com
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa renthant.net
... 172800	IN	SOA	ns1.dnsowl.com. hostmaster.dnsowl.com ...
$ dig -t soa frisplay.net
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa shallenge.net
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa firsia.net
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa direghting.com
... 3600	IN	SOA	dns1.name-services.com. info.name-services.com ...
$ dig -t soa awesomder.net
... status: SERVFAIL ...
$ dig -t soa smoothving.com
... status: SERVFAIL ...
$ dig -t soa purplebin.net
... status: NXDOMAIN ...
$ dig -t soa karft.net
... status: NXDOMAIN ...
$ dig -t soa virtualree.net
... status: SERVFAIL ...
$ dig -t soa exceama.net
... status: SERVFAIL ...

However I looked at the past six months' mailserver logs, and I found
our local blacklists blocking the following in any case:

Blocked by country code:
103.214.147.181	HK, AS135330 "Sin Ming Man t/a Adcdata.com"
103.214.147.215	HK, AS135330 "Sin Ming Man t/a Adcdata.com"
180.149.247.22	IN, AS33480 Web Werks

Blocked by ASN: Yes, we block almost *everything* from these ASNs but
we do of course have whitelists which can override the ASN blacklist.
142.4.9.60	US, "AS46606 Unified Layer"
162.144.157.215	US, "AS46606 Unified Layer"
162.144.50.141	US, "AS46606 Unified Layer"
178.132.3.63	NL, "AS49981 WorldStream B.V."
149.56.84.30	CA, "AS16276 OVH SAS"
54.36.251.80	FR, "AS16276 OVH SAS"
62.210.10.113	FR, "AS12876 Online S.a.s."
209.94.191.189	US, "AS396426 CyberOne Data LLC"

Several were caught here by DNSBL:

69.64.48.56 US, United States GeoIP ASNum Edition: AS30083 "HEG US Inc.",
formerly (until late November) "SERVER4YOU".
Zen, Mailspike, SORBS, and our milter/whois (China).  This is currently
in our tarpit, and thanks to you now also in our local ASN blocklist. :)

81.171.28.52	NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V."
37.48.119.162	NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V."
95.211.175.208	NL, Netherlands GeoIP ASNum Edition: AS60781 "LeaseWeb Netherlands B.V."
truncate.gbudb.net, bl.fmb.la
I find these two DNSBLs very good, approaching Spamhaus performance.
If you haven't already, I'd suggest that you try them out.

92.48.86.80	GB, United Kingdom GeoIP ASNum Edition: AS29550 "Simply Transit Ltd"
Blocked by several DNSBLs, but I understand your reluctance about some of those.

88.198.194.76	DE, Germany GeoIP ASNum Edition: AS24940 "Hetzner Online GmbH"
This one's a little tricky, as it's used by several of our customers
and suppliers, for employee pensions, several mailing lists, and a
couple of other odd things like DMARC reporting.  Nevertheless all the
spam from AS24940 has been blocked by one or more of the following:
If multiple DNSBLs are triggered (truncate or Zen + 1 other);
Local sender blacklists (including some TLDs, especially .ua).
'Spambot' (i.e. no reverse DNS); SPF; recipient filters (spam trap).
Unknown recipient and/or relaying attempts denied.
Invalid helo (e.g. localhost).

Probably this is off topic for this list so I've been more brief than
I'd have liked.  Please feel free to contact me privately if you'd
like to discuss it further - but you'll need to use a different local
part in the address. :)

Incidentally I'm on the digest list.  For some reason SpamAssassin
decided to quarantine the list message yesterday.  I haven't looked
exactly why, but a score of 7.5 is unusually high for a list message. :/

Finally, back on topic, ClamAV didn't have to do *anything* here to
block any of the spam from these sources.

-- 

73,
Ged.



More information about the clamav-users mailing list