rules for a sneaky SPEAR-VIRUS spam that gets past bayes because legit
content from hijacked emails are copied into the spam, making it look
like a follow-up msg of an existing legit conversation. Catch using
these rules below. (Perhaps also add more to this to prevent rare FPs?
But this is a good start!)
FILE SIZE < 50kb
then, on decoded/demime'd msg:
exact match on:
*https://onedrive.live.com/download?cid=**
*
Then a hit on THIS RegEx:
*\b(Fil lösenord|File password): [A-Z]{2}\d{4}\b**
*
(I'll let someone else jump in here and create and share the actual SA
implementation of this, if desired - along with any suggested improvements)
-- Rob McEwen, invaluement
content from hijacked emails are copied into the spam, making it look
like a follow-up msg of an existing legit conversation. Catch using
these rules below. (Perhaps also add more to this to prevent rare FPs?
But this is a good start!)
FILE SIZE < 50kb
then, on decoded/demime'd msg:
exact match on:
*https://onedrive.live.com/download?cid=**
*
Then a hit on THIS RegEx:
*\b(Fil lösenord|File password): [A-Z]{2}\d{4}\b**
*
(I'll let someone else jump in here and create and share the actual SA
implementation of this, if desired - along with any suggested improvements)
-- Rob McEwen, invaluement