view common/spamassassin-vba-macro-master/README.md @ 284:9431aec4d998

Switch to using IPv6 prefix and IP per site This is because the proxy seems to break SNI, so we need an IP per SSL cert. We're not short of IPv6 addresses, though! Also corrected to "4to6" naming, because we're letting IPv4 access an IPv6 site
author IBBoard <dev@ibboard.co.uk>
date Sun, 16 Feb 2020 12:07:35 +0000
parents dae1088dd218
children
line wrap: on
line source

# SpamAssassin Plugin for detecting VBA/OLE2 Macros in Word/Excel Documents

SpamAssassin plugin for detecting VBA macros in Microsoft Office Documents, including those contained within ZIP archives.

## Motivation ##

This plugin was built in response to increasing phishing/malware found in Microsoft Word and Excel Documents that seems to get past the majority of Virus Scanners when new waves first start.

Most installations running SpamAssassin also run ClamAV and while ClamAV has a configuration option to block OLE2Macros (OLE2BlockMacros), this doesn't work well in practice because surprisingly, some people still send emails with legitimate VBA Macros.

This plugin is designed to crudely (but so far, effectively) identify VBA/OLE2 Macros embedded in Microsoft Word and Excel Documents by looking at a signature in the file only present when VBA Macros are used and allows you to assign a configurable score to these documents such that other factors can contribute to an overall score before considering the email spam.

## Dependencies ##

This module requires the following Perl modules to be installed:
* IO::Uncompress::Unzip
* IO::Scalar

In order to detect VBA/Macro-enabled formats (i.e. .docm) disguised as classic Microsoft Office formats by renaming the files, it's recommended you also install:
* File::MimeInfo::Magic

## Installation ##

Simply place the following in your SpamAssassin configuration file along with the ole2macro.pm in a directory where SpamAssassin is able to find it (i.e. /etc/spamassassin). For instance ```/etc/spamassassin/conf.d/90_ole2macro.cf```

```
loadplugin OLE2Macro ole2macro.pm

body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
```

In most cases, you will want to adjust the score accordingly, however, with a cut-off score of 5.5, 4.0 as described above has worked well in a production environment with diverse users.