Mercurial > repos > other > Puppet
comparison common/spamassassin-vba-macro-master/README.md @ 142:dae1088dd218 puppet-3.6
Add OLE detection to SpamAssassin without ClamAV
Note: currently subject to https://github.com/JonathanThorpe/spamassassin-vba-macro/issues/15
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Thu, 09 Feb 2017 20:54:30 +0000 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
141:ce6aafd0880b | 142:dae1088dd218 |
---|---|
1 # SpamAssassin Plugin for detecting VBA/OLE2 Macros in Word/Excel Documents | |
2 | |
3 SpamAssassin plugin for detecting VBA macros in Microsoft Office Documents, including those contained within ZIP archives. | |
4 | |
5 ## Motivation ## | |
6 | |
7 This plugin was built in response to increasing phishing/malware found in Microsoft Word and Excel Documents that seems to get past the majority of Virus Scanners when new waves first start. | |
8 | |
9 Most installations running SpamAssassin also run ClamAV and while ClamAV has a configuration option to block OLE2Macros (OLE2BlockMacros), this doesn't work well in practice because surprisingly, some people still send emails with legitimate VBA Macros. | |
10 | |
11 This plugin is designed to crudely (but so far, effectively) identify VBA/OLE2 Macros embedded in Microsoft Word and Excel Documents by looking at a signature in the file only present when VBA Macros are used and allows you to assign a configurable score to these documents such that other factors can contribute to an overall score before considering the email spam. | |
12 | |
13 ## Dependencies ## | |
14 | |
15 This module requires the following Perl modules to be installed: | |
16 * IO::Uncompress::Unzip | |
17 * IO::Scalar | |
18 | |
19 In order to detect VBA/Macro-enabled formats (i.e. .docm) disguised as classic Microsoft Office formats by renaming the files, it's recommended you also install: | |
20 * File::MimeInfo::Magic | |
21 | |
22 ## Installation ## | |
23 | |
24 Simply place the following in your SpamAssassin configuration file along with the ole2macro.pm in a directory where SpamAssassin is able to find it (i.e. /etc/spamassassin). For instance ```/etc/spamassassin/conf.d/90_ole2macro.cf``` | |
25 | |
26 ``` | |
27 loadplugin OLE2Macro ole2macro.pm | |
28 | |
29 body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro() | |
30 describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro | |
31 score MICROSOFT_OLE2MACRO 4 | |
32 ``` | |
33 | |
34 In most cases, you will want to adjust the score accordingly, however, with a cut-off score of 5.5, 4.0 as described above has worked well in a production environment with diverse users. |