3CX DLL-Sideloading attack: What you need to know

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 1663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam recognition really bad since SASI

wk

I have seen the other posts about the Spam engine since V9.706, but found no satisfying solution.

I have checked all recommended hints. So the first check for the hardware:

loginuser@fw:/home/login > grep flags -m1 /proc/cpuinfo

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave rdrand lahf_lm abm 3dnowprefetch arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust erms invpcid rdseed smap

So the hardware seems to be OK.

Then I checked for all recommended RBLs:

Next I checked the recognition rate for the last months:

June 2021:

Mail Filtering:     System:  
Mails processed: 4 063   System Restarts: 1
Spam Mails blocked: 695   Uplink fail-overs: 0
Virus Mails blocked: 0   HA/Cluster fail-overs: 0

July 2021:

Mail Filtering:     System:  
Mails processed: 4 128   System Restarts: 3
Spam Mails blocked: 125   Uplink fail-overs: 0
Virus Mails blocked: 0   HA/Cluster fail-overs: 0

So the spam recognition rate sank from 695 to 125 with nearly the same amount of tested mails.

So I installed SpamAssassine on my mail server and got a lot of indicated spam. An example of today:

Return-Path: <unsubscribe@09.win.cinmass.com>
X-Original-To: xxx
Delivered-To: xxx
.
.
.
from <unsubscribe@09.win.cinmass.com>; Thu, 19 Aug 2021 22:06:04 +0200
X-SASI-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000,
    BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_4000_4999 0.000000,
    BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
    DATE_TZ_NA 0.000000, HREF_LABEL_TEXT_NO_URI 0.000000,
    HREF_LABEL_TEXT_ONLY 0.000000, HTML_NO_HTTP 0.100000,
    NO_CTA_URI_FOUND 0.000000, NO_MESSAGE_ID 0.299999, NO_URI_HTTPS 0.000000,
    REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
    SUPERLONG_LINE 0.050000, UTF8_SUBJ_OBFU 0.100000, __ANY_URI 0.000000,
    __BODY_TEXT_X4 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000,
    __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000,
    __DATING_PHRASE 0.000000, __FRAUD_BODY_WEBMAIL 0.000000,
    __FRAUD_CONTACT_ADDY 0.000000, __FRAUD_INTRO 0.000000,
    __FRAUD_MONEY 0.000000, __FRAUD_MONEY_BIG_COIN 0.000000,
    __FRAUD_MONEY_BIG_COIN_GER 0.000000, __FRAUD_MONEY_CURRENCY 0.000000,
    __FRAUD_MONEY_CURRENCY_DOLLAR 0.000000, __FRAUD_MONEY_VALUE 0.000000,
    __FRAUD_WEBMAIL 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000,
    __FROM_NAME_NOT_IN_ADDR 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000,
    __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000,
    __HTML_HREF_TAG_X2 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000,
    __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000,
    __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __PHISH_SPEAR_ACCOUNT_1 0.000000,
    __PHISH_SPEAR_GREETING 0.000000, __RCPT_DOMAIN_NOT_TO 0.000000,
    __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __RUS_HASHBUSTER_1251 0.000000,
    __SPAM_FLAG_YES 0.000000, __SUBJ_ALPHA_END 0.000000,
    __SUBJ_ALPHA_END2 0.000000, __SUBJ_HIGHBIT 0.000000,
    __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000,
    __UTF8_SUBJ 0.000000
X-SASI-Probability: 10%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.8.19.193316
X-MailCleaner-SPF: pass
Content-Type: multipart/alternative; boundary="===============1088584699=="
MIME-Version: 1.0
Subject: [***** SPAM 7.3 *****] =?utf-8?q?Gl=C3=BCckw=C3=BCnsche_an_xxx_?=
To: xxx
From: "Donald Lewis" <unsubscribe@09.win.cinmass.com>
Date: Thu, 19 Aug 2021 13:06:03 -0700
Reply-To: subscribe@09.win.cinmass.com
X-Spam-Flag: YES

X-Spam-Status: Yes, score=7.3 required=5.0 tests=HTML_MESSAGE,LOTS_OF_MONEY,
    MISSING_MID,RCVD_IN_SBL,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_SOFTFAIL,
    UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.4
X-Spam-Report:
    *  3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
    *      [188.165.148.172 listed in zen.spamhaus.org]
    *  2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
    *      [82.165.159.37 listed in zen.spamhaus.org]
    *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    *  1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  0.0 LOTS_OF_MONEY Huge... sums of money
    *  0.1 MISSING_MID Missing Message-Id: header
    *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
    *      lines
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on uhs20

You will not see this in a MIME-aware mail reader.

So SpamAssassine scores the mail for beeing listed at zen.spamhouse.org and others with 7.3 but the Sophos UTM SASI shows 10% Probability and let the mail pass.

Another observation is that nearly all recognized spam came via SMTP. The POP-Accounts are now filtered very rare.

What else information can I give for a solution?



This thread was automatically locked due to age.
Unfiltered HTML