public:emai:malware

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:emai:malware [2021-10-20 10:21]
vesely
public:emai:malware [2022-01-17 11:28] (current)
vesely
Line 1: Line 1:
 ====== Dealing with malware, spam, suspicious content ====== ====== Dealing with malware, spam, suspicious content ======
  
-[[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]]+<faicon fa fa-hand-o-right> [[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]]
  
 ---- ----
Line 44: Line 44:
   * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs.   * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs.
   * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying)   * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying)
-  * [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes+  * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies 
 +  * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes
   * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document.   * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document.
   * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.   * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.
 +
 +===== Possible Spoof =====
 +
 +//Added subject tag: **[IPt:Possible Spoof]** //
 +
 +see [[https://en.wikipedia.org/wiki/Email_spoofing|https://en.wikipedia.org/wiki/Email_spoofing]]
 +
 +Email spoofing is the creation of email messages with a forged sender address.
 +
 +It usually happens when a sender uses different email address in "From:" field from the envelope email address (MAIL FROM:)
 +
 +**Legacy "legitimate use"**  - In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor.
 +
 +**Malicious use of spoofing**  - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences.
 +
 +**Example of spoof email:**
 +
 +MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\
 +From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\
 +To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>**
 +
 +Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\
 +Problem is that such email is not sent (hence authorised) by cerge-ei.cz email server but it is sent by some third party server(google server in this case).
  
 ===== SPF ===== ===== SPF =====
Line 128: Line 152:
  
 ===== Reputation databases - Blacklists ===== ===== Reputation databases - Blacklists =====
 +
 +==== IP reputation ====
 +
 +//Added subject tag: **[IP reputation] ** //
 +
 +//More problematic IPs are also taged with **[!]**  or **[!!]** //
 +
 +**Bad IP reputation**  - emails from IP addresses with bad reputation may be discarded or quarantined. It is usually dangerous to receive emails from such IPs.
 +
 +IP reputation may be checked here: [[https://www.ipqualityscore.com/ip-reputation-check/lookup/|https://www.ipqualityscore.com/ip-reputation-check/lookup/]]
 +
 +It is responsibility of the sender to have 'clean' IP address.
 +
 +In case there is involved dynamically assigned address from a service provider (like Vodafone, T-mobile, O2, UPC …) the sender's IP address may be somehow compromised just because it was mis-used by a previous user. This is up to IP address user to ask the respective service provider for removal from the bad reputation lists.
  
 ==== IP reputation database - DNSBL ==== ==== IP reputation database - DNSBL ====
  
-//Added subject tag: [IP reputation - DNSBL listed]//+//Added subject tag: **[IP reputation - DNSBL listed]** //
  
 see: [[https://www.dnsbl.info/|https://www.dnsbl.info/]] see: [[https://www.dnsbl.info/|https://www.dnsbl.info/]]
Line 141: Line 179:
 ==== IP reputation database - SURBL ==== ==== IP reputation database - SURBL ====
  
-//Added subject tag: [IP reputation - SURBL listed]//+//Added subject tag: **[IP reputation - SURBL listed]** //
  
 see: [[http://www.surbl.org/|http://www.surbl.org/]] see: [[http://www.surbl.org/|http://www.surbl.org/]]
  
 SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders
 +
 +====   ====
  
 ===== Newsletter ===== ===== Newsletter =====
Line 177: Line 217:
 **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**. **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**.
  
-===== Suspicious =====+===== Macro in attachments =====
  
-==== Suspicious content (HTML links, docs) ====+==== PDF macro ====
  
-//Added subject tag: **[Suspicious]** //+PDF files include the ability to **execute code on your device**  — and that’s where the danger lies!
  
-HTML contents in email body and attachments may contain potentially hazardous tags and attributes (such as hyperlinks and scripts). MS Office and PDF attachments may contain potentially hazardous macros, active scripts, and other active contents.+Hence PDF files containing macro / executable code (like filling formsare preventivelly **placed to users's quarantine**  where may be carefully released by user in case content is harmlessUser may "whitelist" a trustful sender so quarantine might be skipped next time.
  
-FortiMail provides the capability to remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files.+PDF can contain the following:
  
-**Suspicious links (phishing, spam, malware) are redirected to Click Protection.**  URL is rewritten to ''[[https://gw.cerge-ei.cz/xxxxxxxxx|https://gw.cerge-ei.cz/xxxxxxxxx]]..''  (where gw.cerge-ei.cz is the address of our email security gateway) and in case the user clicks on the URLthe link is evaluated by FortiGuard and appropriate action is taken according to risk level (link is blocked or allowed)+//Javascript//  – Javascripts are used in the website coding to control browser appearance and functionality. In pastit has been used to exploit multiple vulnerabilities in Adobe as well as many other PDF readers.
  
-===== IP reputation =====+//System Commands//  – Launch action in PDF can open Command window and execute commands to initiate malware. Most of the commands have now been disabled by Adobe but they might be open in other readers or earlier versions.
  
-//Added subject tag: **[IP reputation] ** //+//Hidden Objects//  – PDFs can have embedded and encrypted objects which prevents being analyzed by antivirus scanner. These objects are executed when file is opened by the user.
  
-//More problematic IPs are also taged with **[!]**  or **[!!]** //+//Multimedia Control//  – When we say PDF can have embedded objects, it could be a quicktime media or flash file. Attacker can exploit vulnerability in media players.
  
-**Bad IP reputation**  - emails from IP addresses with bad reputation may be discarded or quarantined. It is usually dangerous to receive emails from such IPs.+===== Suspicious =====
  
-IP reputation may be checked here: [[https://www.ipqualityscore.com/ip-reputation-check/lookup/|https://www.ipqualityscore.com/ip-reputation-check/lookup/]]+==== Suspicious content (HTML links, docs, macro) ====
  
-It is responsibility of the sender to have 'clean' IP address.+//Added subject tag: **[Suspicious]** //
  
-In case there is involved dynamically assigned address from a service provider (like VodafoneT-mobileO2UPC …the sender's IP address may be somehow compromised just because it was mis-used by a previous userThis is up to IP address user to ask the respective service provider for removal from the bad reputation lists.+HTML contents in email body and attachments may contain potentially hazardous tags and attributes (such as hyperlinks and scripts). MS Office and PDF attachments may contain potentially hazardous macrosactive scriptsand other active contents. 
 + 
 +FortiMail provides the capability to remove or neutralize the potentially hazardous contents and reconstruct the email messages and attachment files. 
 + 
 +**Suspicious links (phishingspam, malwareare redirected to Click Protection.**  URL is rewritten to ''[[https://gw.cerge-ei.cz/xxxxxxxxx|https://gw.cerge-ei.cz/xxxxxxxxx]]..''  (where gw.cerge-ei.cz is the address of our email security gateway) and in case the user clicks on the URL, the link is evaluated by FortiGuard and appropriate action is taken according to risk level (link is blocked or allowed) 
 + 
 +=====   =====
  
 ===== Image Spam ===== ===== Image Spam =====
Line 215: Line 261:
 ===== Deepheader analysis ===== ===== Deepheader analysis =====
  
-//Added subject tag: [Suspicious] [Header analysis]//+//Added subject tag: [Suspicious - header analysis]// 
 + 
 +//Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"//
  
 <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]]
Line 221: Line 269:
 Deepheader analysis examines the entire message header for spam characteristics. Deepheader analysis examines the entire message header for spam characteristics.
  
-Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.).+More specifally - the deep header scan examines each message and **calculate a __confidence value__  based on the results of the decision-tree analysis**.The higher the calculated confidence valuethe more likely the message is really spam.
  
-Recipient can learn a lot about the email history and nature by examining message header. +There may be sometimes very subtle difference in the specific email, which triggers the confidence value. As a best practice it is always better to have an information that certain email may be problematicbecause attackers today are able to mimick messages that are almost indistinguishable from the original messages! **So check twice such messages before you click link in it or open an attachment**.
- +
-More specifally - the deep header scan examines each message and calculate a confidence value based on the results of the decision-tree analysis.The higher the calculated confidence value, the more likely the message is really spam.+
  
 Line //X-FEAS-DEEPHEADER://  is added to the message header that includes the message’s calculated confidence value. Line //X-FEAS-DEEPHEADER://  is added to the message header that includes the message’s calculated confidence value.
 +
 +Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.).
 +
 +Recipient can learn a lot about the email history and nature by examining message header.
  
  
  • /var/www/html/dokuwiki/data/attic/public/emai/malware.1634718085.txt.gz
  • Last modified: 2021-10-20 10:21
  • by vesely