efa-project.org


https://forum.efa-project.org/

Help with Custom SpamAssassin Module

https://forum.efa-project.org/viewtopic.php?t=1547

Page 1 of 1

Help with Custom SpamAssassin Module

Posted: 05 Apr 2016 21:16
by twoeyes
Hi,

I'm trying to install this module into spamassasin: https://github.com/JonathanThorpe/spama ... -vba-macro

We've been getting a scary amount of Word documents with macros get through EFA. Sooner or a later a user is going to run the macro... so I'd like to spam bin them.

I'm trying to install the above module, but I can't figure out where to put the files and settings.

I've put the pm file here: /etc/spamassasin
Tried to add the loadplugin line into init.pre
And the rest in local.cf

But it doesn't seem to work... and I don't even know where to start to debug it.


LC

Re: Help with Custom SpamAssassin Module

Posted: 06 Apr 2016 04:11
by pdwalker
The instructions at https://github.com/JonathanThorpe/spama ... -vba-macro seem pretty clear to me.

Can you tell me exactly what steps you did to install this spamassassin module?

Re: Help with Custom SpamAssassin Module

Posted: 06 Apr 2016 05:06
by pdwalker
I'm just having a peek at the perl modules available and comparing that to what this plugin needs.

According to the docs, the following modules are required:
  • IO::Uncompress::Unzip
  • IO::Scalar
  • File::MimeInfo::Magic
doing a `yum list` command shows the following perl modules available for installation
  • perl-File-MimeInfo.noarch
I cannot see anything related to IO::Uncompress::Unzip or IO::Scalar.

So, at a guess, unless you want to try installing the missing perl modules by hand (and *shudder* end up in perl module dependency hell), it looks like the necessary packages are not available for you to install to use this spamassassin module.

Re: Help with Custom SpamAssassin Module

Posted: 06 Apr 2016 19:40
by twoeyes
Thanks pdwalker.

As far as I can tell, the required modules are already installed in EFA.

When I run these:
perl -e 'use IO::Uncompress::Unzip'
perl -e 'use IO::Scalar'

I get back to bash without any error messages... which some webpage said was good. If I try something like: perl -e 'use IO::ScalarFakeModule' - I get an obvious error.

The MimeInfo is supposed to be optional. And when I read the .pm file, I think that's true - but I don't really know perl.

I believe I've followed the docs and sent appropriate test emails, but I see no evidence of it doing anything.

I put the .pm file in /etc/spamassassin
And added to code to /etc/mail/spamassassin/local.cf (I also tried init.pre)

I discovered the spamassassin --lint command, and it comes up clean - though, I'm not 100% sure this uses the same configuration files that MailScanner uses.

Do attachments get forwarded to SA in the EFA setup? I flipped the "Include Binary Attachments In SpamAssassin" to yes in the MailScanner.conf file. Not sure if that did anything or not.

How do I tell if the ole2macro.pm file is ever "used"? Is there an easy way to post to a log file from inside a pm?

I'm in way over my head now... as usual...

Re: Help with Custom SpamAssassin Module

Posted: 07 Apr 2016 06:11
by pdwalker
How about that, so you're right. Those modules exist. No reason for me not to try it out then.

So I installed the optional perl module

Code: Select all

yum install perl-File-MimeInfo.noarch
I then edited /etc/mail/spamassassin/local.cf and added in the following lines:

Code: Select all

loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
I then downloaded and copied the ole2macro.pm file to /etc/mail/spamassassin/

Code: Select all

cd /etc/mail/spamassassin/
wget https://raw.githubusercontent.com/JonathanThorpe/spamassassin-vba-macro/master/ole2macro.pm
I then accessed the spamassassin lint page <tools menu, SpamAssassin Lint (Test) or https://<efabox>/mailscanner/sa_lint.php>, to see if the new settings were picked up and search for "ole2" and found this

Code: Select all

Apr 7 13:58:42.899 [3259] dbg: config: fixed relative path: /etc/mail/spamassassin/ole2macro.pm	0.41006
Apr 7 13:58:42.899 [3259] dbg: plugin: loading OLE2Macro from /etc/mail/spamassassin/ole2macro.pm	0.00029
Looking good so far.

Now, I sent myself two word documents - one macro enabled document and one not:

with macro

Code: Select all

SpamAssassin Score: 8.08
Spam Report:    
Score    Matching Rule        Description
 3.50    BAYES_99             Bayes spam probability is 99 to 100%
 0.10    DKIM_SIGNED          Message has a DKIM or DK signature, not necessarily valid
-0.10    DKIM_VALID           Message has at least one valid DKIM or DK signature
-0.10    DKIM_VALID_AU        Message has a valid DKIM or DK signature from author's domain
 0.00    FREEMAIL_FROM        Sender email is commonly abused enduser mail provider
 0.00    HTML_MESSAGE         HTML included in message
 4.00    MICROSOFT_OLE2MACRO  
-0.00    SPF_HELO_PASS        SPF: HELO matches SPF record
 0.67    SPF_SOFTFAIL         SPF: sender does not match SPF record (softfail)
 0.01    T_FREEMAIL_DOC_PDF

without macro

Code: Select all

SpamAssassin Score: 4.08
Spam Report:    
Score    Matching Rule        Description
 3.50    BAYES_99             Bayes spam probability is 99 to 100%
 0.10    DKIM_SIGNED          Message has a DKIM or DK signature, not necessarily valid
-0.10    DKIM_VALID           Message has at least one valid DKIM or DK signature
-0.10    DKIM_VALID_AU        Message has a valid DKIM or DK signature from author's domain
 0.00    FREEMAIL_FROM        Sender email is commonly abused enduser mail provider
 0.00    HTML_MESSAGE         HTML included in message
-0.00    SPF_HELO_PASS        SPF: HELO matches SPF record
 0.67    SPF_SOFTFAIL         SPF: sender does not match SPF record (softfail)
 0.01    T_FREEMAIL_DOC_PDF
and Bob's yer Uncle; which is another way of saying it works like a charm.

Perhaps you didn't put the module in the correct location? Or perhaps you put the configuration settings in the wrong location?

This is a useful spam assassin addition. There is almost *no* justifiable reason for sending macro enabled MS Word documents that I can think of.

I'll be curious to see how many documented get flagged by this test going forward.

Re: Help with Custom SpamAssassin Module

Posted: 07 Apr 2016 17:08
by twoeyes
Thanks so much!

I think the problem was that I had the ole2macro.pm in the wrong folder.

Plus the yum line is helpful... that would have been my next challenge.

I'm hoping this proves useful too. These macro viruses in Word Doc files can be scary legit looking...

Re: Help with Custom SpamAssassin Module

Posted: 07 Apr 2016 23:54
by shawniverson
https://github.com/E-F-A/v3/issues/266

Re: Help with Custom SpamAssassin Module

Posted: 08 Apr 2016 03:37
by pdwalker
twoeyes, glad to help. thanks for pointing out the module.

shawn, I seem to cause you a lot of extra future work. Thanks for your work in improving the software.

one small comment; the score of 4 might be a little high. while I personally dislike macros in word documents, there may be legitimate reasons for it. I'll keep an eye on my system and see if any such cases appear and report back.

Re: Help with Custom SpamAssassin Module

Posted: 10 Apr 2016 16:33
by Rob.M.P
Don't suppose anyone can help -

After completing all steps and running SpamAssassin Lint (Test) the ole2macro.pm is not picked up.

The Ole2macro.pm file is located in /etc/mail/spamassassin/
I have edited the local.cf file to include these line -

loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4

Re: Help with Custom SpamAssassin Module

Posted: 10 Apr 2016 16:59
by pdwalker
Check the file permissions and ownership of the module. What are they?

What version of EFA?

Re: Help with Custom SpamAssassin Module

Posted: 10 Apr 2016 17:19
by Rob.M.P
Thanks for the quick response

3.0.0.9

Please see attached showing file permissions

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 05:39
by pdwalker
Only because you caught be just before I was heading to bed.

How did you the file permission properties? Your screen shot looks like a windows dialog box, yet EFA is a linux based system. How did you access the file to get the properties?

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 05:56
by Rob.M.P
Using winscp to login to the file structure

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 06:53
by pdwalker
Thanks.

Well, the permissions, ownership and file size matches mine.

I don't think I restarted mailscanner after installing this module, and I don't think it's necessary, but could you restart the mailscanner service? (Do you know how to log into the machine using ssh and run the "sudo service MailScanner restart" command?)

If you can do that, please recheck the spamassassin lint results.

Next, can you tell me where in the /etc/mail/spamassassin/local.cf you added your configuration lines? Specifically, starting at which line number?

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 07:36
by Rob.M.P
Hi pdwalker,

Thanks so much for your help.

I moved the configuration lines to the top of the local.cf file. I originally had it located just above the following line -

'endif # Mail::SpamAssasin::Plugin::Shortcircuit'

Thanks again.

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 07:58
by pdwalker
It should be just below that line, outside of the if/endif blocks.

I've mine at the bottom of the file. That should fix your problem.

- Paul

Re: Help with Custom SpamAssassin Module

Posted: 11 Apr 2016 08:52
by pdwalker
*warning*

While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.

See this issue, for example.

Re: Help with Custom SpamAssassin Module

Posted: 12 Oct 2016 23:34
by dbrunt
I'm trying to make this work but SA is not adding the scoring when I send a macro enabled .XLS through.
Two installs of EFA: 3.0.0.8 and the other is 3.0.1.1
In the SpamAssassin Lint (Test) the ole2macro.pm is picked up.
Any ideas?

Re: Help with Custom SpamAssassin Module

Posted: 13 Oct 2016 08:55
by pdwalker
email yourself a word document with an enabled macro and see if that is caught.

Re: Help with Custom SpamAssassin Module

Posted: 13 Oct 2016 08:56
by pdwalker
better yet, email it to me if you can and let's see if my system catches it. I'll send you a pm with my email address

Re: Help with Custom SpamAssassin Module

Posted: 14 Oct 2016 07:45
by pdwalker
pdwalker wrote:*warning*

While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.

See this issue, for example.
Update: there are quite a number of office documents with enabled macros that are not detected. Be warned that this plugin is only useful for some, not all documents, so reply on this with caution.

Re: Help with Custom SpamAssassin Module

Posted: 20 Jan 2017 16:11
by eltonb
I just installed and setup EFA 3.0.1.8 to route mail from Internet to my MS Exchange server.
Mailflow is working correctly.

I edited clamd.conf to:
OLE2BlockMacros yes
And saved the change.

However, I just sent myself a .doc Word 2007 attachment with a macro and it went through.
The test file I am using is from:
http://www3.safenet-inc.com/csrt/esafe- ... Macro.html
or
http://www3.safenet-inc.com/csrt/esafe- ... PMacro.doc

Do I need to restart clamd for my change to clamd.conf to take effect?
Is there something else I need to do?
Beyond installing EFA and configuring it to route mail to my Exchange server, I have not made any other changes.

Is there any difference in using clamd to block macros versus using the JonathanThorpe ole2macro.pm method?

Re: Help with Custom SpamAssassin Module

Posted: 20 Jan 2017 17:18
by eltonb
I restarted the entire system, and now its catching and blocking the macro file, so I assume clamd does need to be restarted.

I finally found the command online for restarting clamd
I used the command:
sudo service clamd restart

It stops OK, but on start, I get the following. Is this normal behavior?

Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
[root@EFA-Server admin]#

Re: Help with Custom SpamAssassin Module

Posted: 20 Jan 2017 18:14
by shawniverson
yes. There are some yara rules present that don't apply to Linux.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited