spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Bitcoin ransom mail
Date Thu, 19 Dec 2019 17:47:32 GMT
On Thu, 19 Dec 2019, Philipp Ewald wrote:

> I have a solution with ClamAV for any image that is "not allowed". I my case 
> i create  a md5sum from images i don't want to receive and but them into 
> hashtable.
> This Hashtable place into /var/lib/clamav/NAME.hsb
>
> /var/lib/clamav/NAME.hsb looks like:
> 129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage
> hash:size:"VIRUS name"
>
> so any new mail with this attachment get treated as virus

To a degree that's just whack-a-mole. It would not be excessively 
difficult to make minor alterations to the image sufficient to change the 
hash without noticeably changing it visually.

It might be prohibitive to do that per-message, but sending a batch of a 
hundred messages while you're modifying the image for the next batch would 
probably work.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
   does quite what I want. I wish Christopher Robin was here."
                                            -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
  6 days until Christmas

Mime
View raw message