Mercurial > repos > other > Puppet

diff common/spamassassin-vba-macro-master/README.md @ 142:dae1088dd218 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add OLE detection to SpamAssassin without ClamAV Note: currently subject to https://github.com/JonathanThorpe/spamassassin-vba-macro/issues/15
author IBBoard <dev@ibboard.co.uk>
date Thu, 09 Feb 2017 20:54:30 +0000
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/spamassassin-vba-macro-master/README.md	Thu Feb 09 20:54:30 2017 +0000
@@ -0,0 +1,34 @@
+# SpamAssassin Plugin for detecting VBA/OLE2 Macros in Word/Excel Documents
+
+SpamAssassin plugin for detecting VBA macros in Microsoft Office Documents, including those contained within ZIP archives.
+
+## Motivation ##
+
+This plugin was built in response to increasing phishing/malware found in Microsoft Word and Excel Documents that seems to get past the majority of Virus Scanners when new waves first start.
+
+Most installations running SpamAssassin also run ClamAV and while ClamAV has a configuration option to block OLE2Macros (OLE2BlockMacros), this doesn't work well in practice because surprisingly, some people still send emails with legitimate VBA Macros.
+
+This plugin is designed to crudely (but so far, effectively) identify VBA/OLE2 Macros embedded in Microsoft Word and Excel Documents by looking at a signature in the file only present when VBA Macros are used and allows you to assign a configurable score to these documents such that other factors can contribute to an overall score before considering the email spam.
+
+## Dependencies ##
+
+This module requires the following Perl modules to be installed:
+* IO::Uncompress::Unzip
+* IO::Scalar
+
+In order to detect VBA/Macro-enabled formats (i.e. .docm) disguised as classic Microsoft Office formats by renaming the files, it's recommended you also install:
+* File::MimeInfo::Magic
+
+## Installation ##
+
+Simply place the following in your SpamAssassin configuration file along with the ole2macro.pm in a directory where SpamAssassin is able to find it (i.e. /etc/spamassassin). For instance ```/etc/spamassassin/conf.d/90_ole2macro.cf```
+
+```
+loadplugin OLE2Macro ole2macro.pm
+
+body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
+describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
+score MICROSOFT_OLE2MACRO 4
+```
+
+In most cases, you will want to adjust the score accordingly, however, with a cut-off score of 5.5, 4.0 as described above has worked well in a production environment with diverse users.