NAME¶
Mail::SpamAssassin::Plugin::OLEVBMacro - search attached documents for evidence
of containing an OLE Macro
SYNOPSIS¶
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
body OLEMACRO eval:check_olemacro()
describe OLEMACRO Attachment has an Office Macro
body OLEMACRO_MALICE eval:check_olemacro_malice()
describe OLEMACRO_MALICE Potentially malicious Office Macro
body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
body OLEMACRO_RENAME eval:check_olemacro_renamed()
describe OLEMACRO_RENAME Has an Office doc that has been renamed
body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
body OLEMACRO_CSV eval:check_olemacro_csv()
describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected
endif
DESCRIPTION¶
This plugin detects OLE Macro inside documents attached to emails. It can detect
documents inside zip files as well as encrypted documents.
REQUIREMENT¶
This plugin requires Archive::Zip and IO::String perl modules.
USER PREFERENCES¶
The following options can be used in both site-wide
("local.cf") and user-specific
("user_prefs") configuration files to
customize how the module handles attached documents
- olemacro_num_mime (default: 5)
- Configure the maximum number of matching MIME parts the plugin will
scan
- olemacro_num_zip (default: 8)
- Configure the maximum number of matching zip members the plugin will
scan
- olemacro_zip_depth (default: 2)
- Depth to recurse within Zip files
- olemacro_extended_scan ( 0 | 1 ) (default: 0)
- Scan more files for potential macros, the
"olemacro_skip_exts" parameter will
still be honored. This parameter is off by default, this option is needed
only to run
"eval:check_olemacro_renamed" rule. If
this is turned on consider adjusting values for
"olemacro_num_mime" and
"olemacro_num_zip" and prepare for more
CPU overhead
- olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
- Choose if the content-disposition header filename be preferred if
ambiguity is encountered whilst trying to get filename
- olemacro_max_file (default: 1024000)
- Configure the largest file that the plugin will decode from the MIME
objects
- olemacro_exts (default:
(?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
- Set the case-insensitive regexp used to configure the extensions the
plugin targets for macro scanning
- olemacro_macro_exts (default:
(?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
- Set the case-insensitive regexp used to configure the extensions the
plugin treats as containing a macro
- olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
- Set the case-insensitive regexp used to configure extensions for the
plugin to skip entirely, these should only be guaranteed macro free
files
- olemacro_skip_ctypes (default: ^(?:text\/))
- Set the case-insensitive regexp used to configure content types for the
plugin to skip entirely, these should only be guaranteed macro free
- olemacro_zips (default: (?:zip)$)
- Set the case-insensitive regexp used to configure extensions for the
plugin to target as zip files, files listed in configs above are also
tested for zip