TZUTC: -0400
MSGID: 56.fido-internet@1:3634/12 22e9cf0b
REPLY: 2:221/1.58@fidonet e2f1afe1
PID: Synchronet 3.17c-Linux  Mar 23 2020 GCC 7.5.0
TID: SBBSecho 3.10-Linux r3.152 Mar 23 2020 GCC 7.5.0
CHRS: ASCII 1
NOTE: FSEditor.js v1.103
  Re: another one phishing for a bite
  By: August Abolins to mark lewis on Tue Mar 31 2020 20:33:00


 ml>> not really because now others of us cannot look up that
 ml>> information and set blocks or filters in our IDS/IPS ;)

 AA> Oh..  I see.  Good point.  But couldn't http://march262020.* work in a  
filter?


that depends on the language used... IDS/IPS do not use DOS style... neither
does clamav, dspam, or similar content scanners...


 AA> But, FYI, replace "####" with "club".   No point keeping it a
 AA> secret if the goal is to help protect others.


thanks...


 AA> BTW, although it is far easier to just drop the phishing
 AA> email/attachment with the delete key, we can parse the file,
 AA> extract the clear-text and share the http:// strings found
 AA> therein.


or our content scanner can detect the byte sequences and pass or fail the
item...


 AA> Obviously, the macro in the original .xls file relied on Excel
 AA> functions to run a macro to fetch a bot from a website and launch
 AA> the payload.


yep... this is why the setting to allow macros and/or executing startup macros
should be OFF these days...


)\/(ark
--- SBBSecho 3.10-Linux
 * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
SEEN-BY: 1/120 123 18/0 90/1 103/705 116/116 123/0 25 50 150 170 755
SEEN-BY: 153/757 7715 154/10 30 40 700 203/0 221/0 6 226/30 227/114
SEEN-BY: 227/201 400 229/101 426 452 1014 240/5832 249/206 317 400
SEEN-BY: 261/38 280/464 5003 288/100 292/854 300/4 310/31 317/3 322/757
SEEN-BY: 342/200 396/45 423/120 712/848 770/1 2452/250 3634/0 12 15
SEEN-BY: 3634/27 50 119
PATH: 3634/12 154/10 280/464 229/426