public:emai:malware

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
public:emai:malware [2021-10-21 13:29] veselypublic:emai:malware [2021-11-19 08:22] – [Monitoring and filtering agenda] vesely
Line 44: Line 44:
   * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs.   * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs.
   * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying)   * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying)
-  * [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes+  * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies 
 +  * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes
   * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document.   * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document.
   * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.   * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.
Line 52: Line 53:
 //Added subject tag: **[IPt:Possible Spoof]** // //Added subject tag: **[IPt:Possible Spoof]** //
  
-see https://en.wikipedia.org/wiki/Email_spoofing+see [[https://en.wikipedia.org/wiki/Email_spoofing|https://en.wikipedia.org/wiki/Email_spoofing]]
  
 Email spoofing is the creation of email messages with a forged sender address. Email spoofing is the creation of email messages with a forged sender address.
 +
 +It usually happens when a sender uses different email address in "From:" field from the envelope email address (MAIL FROM:)
 +
 +**Legacy "legitimate use"**  - In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor.
 +
 +**Malicious use of spoofing**  - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences.
 +
 +**Example of spoof email:**
 +
 +MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\
 +From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\
 +To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>**
 +
 +Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\
 +Problem is that such email is not sent (hence authorised) by cerge-ei.cz email server but it is sent by some third party server(google server in this case).
  
 ===== SPF ===== ===== SPF =====
Line 200: Line 216:
  
 **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**. **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**.
 +
 +===== Macro in attachments =====
 +
 +==== PDF macro ====
 +
 +PDF files include the ability to **execute code on your device**  — and that’s where the danger lies!
 +
 +Hence PDF files containing macro / executable code (like filling forms) are preventivelly **placed to users's quarantine**  where may be carefully released by user in case content is harmless. User may "whitelist" a trustful sender so quarantine might be skipped next time.
 +
 +PDF can contain the following:
 +
 +//Javascript//  – Javascripts are used in the website coding to control browser appearance and functionality. In past, it has been used to exploit multiple vulnerabilities in Adobe as well as many other PDF readers.
 +
 +//System Commands//  – Launch action in PDF can open Command window and execute commands to initiate malware. Most of the commands have now been disabled by Adobe but they might be open in other readers or earlier versions.
 +
 +//Hidden Objects//  – PDFs can have embedded and encrypted objects which prevents being analyzed by antivirus scanner. These objects are executed when file is opened by the user.
 +
 +//Multimedia Control//  – When we say PDF can have embedded objects, it could be a quicktime media or flash file. Attacker can exploit vulnerability in media players.
  
 ===== Suspicious ===== ===== Suspicious =====
  
-==== Suspicious content (HTML links, docs) ====+==== Suspicious content (HTML links, docs, macro) ====
  
 //Added subject tag: **[Suspicious]** // //Added subject tag: **[Suspicious]** //
  • /var/www/html/dokuwiki/data/pages/public/emai/malware.txt
  • Last modified: 2022-01-17 10:28
  • by vesely