| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| public:emai:malware [2021-11-19 08:13] – [Suspicious content (HTML links, docs)] vesely | public:emai:malware [2022-01-17 10:28] – vesely |
|---|
| * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. | * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. |
| * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) | * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) |
| * [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes | * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies |
| | * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes |
| * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. | * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. |
| * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. | * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. |
| |
| **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. | **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. |
| | |
| | ===== Macro in attachments ===== |
| | |
| | ==== PDF macro ==== |
| | |
| | PDF files include the ability to **execute code on your device** — and that’s where the danger lies! |
| | |
| | Hence PDF files containing macro / executable code (like filling forms) are preventivelly **placed to users's quarantine** where may be carefully released by user in case content is harmless. User may "whitelist" a trustful sender so quarantine might be skipped next time. |
| | |
| | PDF can contain the following: |
| | |
| | //Javascript// – Javascripts are used in the website coding to control browser appearance and functionality. In past, it has been used to exploit multiple vulnerabilities in Adobe as well as many other PDF readers. |
| | |
| | //System Commands// – Launch action in PDF can open Command window and execute commands to initiate malware. Most of the commands have now been disabled by Adobe but they might be open in other readers or earlier versions. |
| | |
| | //Hidden Objects// – PDFs can have embedded and encrypted objects which prevents being analyzed by antivirus scanner. These objects are executed when file is opened by the user. |
| | |
| | //Multimedia Control// – When we say PDF can have embedded objects, it could be a quicktime media or flash file. Attacker can exploit vulnerability in media players. |
| |
| ===== Suspicious ===== | ===== Suspicious ===== |
| ===== Deepheader analysis ===== | ===== Deepheader analysis ===== |
| |
| //Added subject tag: [Suspicious] [Header analysis]// | //Added subject tag: [Suspicious - header analysis]// |
| | |
| | //Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// |
| |
| <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] | <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] |
| Deepheader analysis examines the entire message header for spam characteristics. | Deepheader analysis examines the entire message header for spam characteristics. |
| |
| Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.). | More specifally - the deep header scan examines each message and **calculate a __confidence value__ based on the results of the decision-tree analysis**.The higher the calculated confidence value, the more likely the message is really spam. |
| |
| Recipient can learn a lot about the email history and nature by examining message header. | There may be sometimes very subtle difference in the specific email, which triggers the confidence value. As a best practice - it is always better to have an information that certain email may be problematic, because attackers today are able to mimick messages that are almost indistinguishable from the original messages! **So check twice such messages before you click link in it or open an attachment**. |
| | |
| More specifally - the deep header scan examines each message and calculate a confidence value based on the results of the decision-tree analysis.The higher the calculated confidence value, the more likely the message is really spam. | |
| |
| Line //X-FEAS-DEEPHEADER:// is added to the message header that includes the message’s calculated confidence value. | Line //X-FEAS-DEEPHEADER:// is added to the message header that includes the message’s calculated confidence value. |
| | |
| | Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.). |
| | |
| | Recipient can learn a lot about the email history and nature by examining message header. |
| |
| |