Mailing List Archive

On Fri, 30 Oct 2020 22:17:07 +0000 (UTC)
Jason Wong wrote:


> I turned on loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro in the
> v343.pre file.
...
> Oct 30 17:58:57.955 [23115] dbg: plugin: loading
> Mail::SpamAssassin::Plugin::OLEVBMacro from @INC
>
> When I run make test, it passes:
...
> But when I try to scan email that I know contains excel attachments
> with harmful office macros, none of the rules get triggered.


You didn't mention creating the rules. The tests have their own
definitions.

see perldoc Mail::SpamAssassin::Plugin::OLEVBMacro

Thank you RW, that was it.

Although, I don't understand why those rules aren't defined by default - the manpage suggests using ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro for the rules, and the plugin isn't loaded by default, so why not have those rules all the time with ifplugin?
Anyway, one other thing I noticed (unless I'm missing something again), is that some of the default macro extensions are incorrect:

olemacro_exts (default:    (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
        Set the case-insensitive regexp used to configure the extensions the  plugin targets for macro scanning

olemacro_macro_exts (default:    (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
        Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a macro

olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
       Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files

The .docx, .xlsx, and .pptx files don't contain macros:  https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions

Of course, a spammer could rename a macro-containing word file as .docx, but I guess that's what the olemacro_extended_scan option to look for renamed files is for.

Thanks again.



On Friday, October 30, 2020, 7:05:49 PM EDT, RW <rwmaillists@googlemail.com> wrote:


You didn't mention creating the rules. The tests have their own
definitions.

see perldoc Mail::SpamAssassin::Plugin::OLEVBMacro

The ruleset KAM.cf at mcgrail.com has rules for this plugin too.

On Sat, Oct 31, 2020, 13:08 Jason Wong <wong.jason99@yahoo.com> wrote:

> Thank you RW, that was it.
>
> Although, I don't understand why those rules aren't defined by default -
> the manpage suggests using ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
> for the rules, and the plugin isn't loaded by default, so why not have
> those rules all the time with ifplugin?
>
> Anyway, one other thing I noticed (unless I'm missing something again), is
> that some of the default macro extensions are incorrect:
>
> olemacro_exts (default:
> (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
> Set the case-insensitive regexp used to configure the extensions
> the plugin targets for macro scanning
>
> olemacro_macro_exts (default:
> (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
> Set the case-insensitive regexp used to configure the extensions
> the plugin treats as containing a macro
>
> olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
> Set the case-insensitive regexp used to configure extensions for
> the plugin to skip entirely, these should only be guaranteed macro free
> files
>
> The .docx, .xlsx, and .pptx files don't contain macros:
> https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
>
> Of course, a spammer could rename a macro-containing word file as .docx,
> but I guess that's what the olemacro_extended_scan option to look for
> renamed files is for.
>
> Thanks again.
>
>
>
> On Friday, October 30, 2020, 7:05:49 PM EDT, RW <
> rwmaillists@googlemail.com> wrote:
>
>
>
> You didn't mention creating the rules. The tests have their own
> definitions.
>
> see perldoc Mail::SpamAssassin::Plugin::OLEVBMacro
>
>