Mercurial > repos > other > Puppet
annotate common/spamassassin-vba-macro-master/README.md @ 455:a32771c91043
Switch updates available/restart required to script
This lets the script manage whether it's on Ubuntu or CentOS
and whether it needs yum commands or apt.
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 20 Aug 2023 13:28:10 +0100 |
| parents | dae1088dd218 |
| children |
| rev | line source |
|---|---|
|
142
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 # SpamAssassin Plugin for detecting VBA/OLE2 Macros in Word/Excel Documents |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
2 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 SpamAssassin plugin for detecting VBA macros in Microsoft Office Documents, including those contained within ZIP archives. |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 ## Motivation ## |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
6 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
7 This plugin was built in response to increasing phishing/malware found in Microsoft Word and Excel Documents that seems to get past the majority of Virus Scanners when new waves first start. |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
8 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
9 Most installations running SpamAssassin also run ClamAV and while ClamAV has a configuration option to block OLE2Macros (OLE2BlockMacros), this doesn't work well in practice because surprisingly, some people still send emails with legitimate VBA Macros. |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
11 This plugin is designed to crudely (but so far, effectively) identify VBA/OLE2 Macros embedded in Microsoft Word and Excel Documents by looking at a signature in the file only present when VBA Macros are used and allows you to assign a configurable score to these documents such that other factors can contribute to an overall score before considering the email spam. |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
12 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 ## Dependencies ## |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 This module requires the following Perl modules to be installed: |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 * IO::Uncompress::Unzip |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 * IO::Scalar |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
19 In order to detect VBA/Macro-enabled formats (i.e. .docm) disguised as classic Microsoft Office formats by renaming the files, it's recommended you also install: |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 * File::MimeInfo::Magic |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 ## Installation ## |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 Simply place the following in your SpamAssassin configuration file along with the ole2macro.pm in a directory where SpamAssassin is able to find it (i.e. /etc/spamassassin). For instance ```/etc/spamassassin/conf.d/90_ole2macro.cf``` |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
26 ``` |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 loadplugin OLE2Macro ole2macro.pm |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro() |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
31 score MICROSOFT_OLE2MACRO 4 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 ``` |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 In most cases, you will want to adjust the score accordingly, however, with a cut-off score of 5.5, 4.0 as described above has worked well in a production environment with diverse users. |