Help with Custom SpamAssassin Module

Questions and answers about how to do stuff
Post Reply
twoeyes
Posts: 5
Joined: 06 Aug 2015 23:31

Help with Custom SpamAssassin Module

Post by twoeyes »

Hi,

I'm trying to install this module into spamassasin: https://github.com/JonathanThorpe/spama ... -vba-macro

We've been getting a scary amount of Word documents with macros get through EFA. Sooner or a later a user is going to run the macro... so I'd like to spam bin them.

I'm trying to install the above module, but I can't figure out where to put the files and settings.

I've put the pm file here: /etc/spamassasin
Tried to add the loadplugin line into init.pre
And the rest in local.cf

But it doesn't seem to work... and I don't even know where to start to debug it.


LC
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

The instructions at https://github.com/JonathanThorpe/spama ... -vba-macro seem pretty clear to me.

Can you tell me exactly what steps you did to install this spamassassin module?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

I'm just having a peek at the perl modules available and comparing that to what this plugin needs.

According to the docs, the following modules are required:
  • IO::Uncompress::Unzip
  • IO::Scalar
  • File::MimeInfo::Magic
doing a `yum list` command shows the following perl modules available for installation
  • perl-File-MimeInfo.noarch
I cannot see anything related to IO::Uncompress::Unzip or IO::Scalar.

So, at a guess, unless you want to try installing the missing perl modules by hand (and *shudder* end up in perl module dependency hell), it looks like the necessary packages are not available for you to install to use this spamassassin module.
twoeyes
Posts: 5
Joined: 06 Aug 2015 23:31

Re: Help with Custom SpamAssassin Module

Post by twoeyes »

Thanks pdwalker.

As far as I can tell, the required modules are already installed in EFA.

When I run these:
perl -e 'use IO::Uncompress::Unzip'
perl -e 'use IO::Scalar'

I get back to bash without any error messages... which some webpage said was good. If I try something like: perl -e 'use IO::ScalarFakeModule' - I get an obvious error.

The MimeInfo is supposed to be optional. And when I read the .pm file, I think that's true - but I don't really know perl.

I believe I've followed the docs and sent appropriate test emails, but I see no evidence of it doing anything.

I put the .pm file in /etc/spamassassin
And added to code to /etc/mail/spamassassin/local.cf (I also tried init.pre)

I discovered the spamassassin --lint command, and it comes up clean - though, I'm not 100% sure this uses the same configuration files that MailScanner uses.

Do attachments get forwarded to SA in the EFA setup? I flipped the "Include Binary Attachments In SpamAssassin" to yes in the MailScanner.conf file. Not sure if that did anything or not.

How do I tell if the ole2macro.pm file is ever "used"? Is there an easy way to post to a log file from inside a pm?

I'm in way over my head now... as usual...
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

How about that, so you're right. Those modules exist. No reason for me not to try it out then.

So I installed the optional perl module

Code: Select all

yum install perl-File-MimeInfo.noarch
I then edited /etc/mail/spamassassin/local.cf and added in the following lines:

Code: Select all

loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
I then downloaded and copied the ole2macro.pm file to /etc/mail/spamassassin/

Code: Select all

cd /etc/mail/spamassassin/
wget https://raw.githubusercontent.com/JonathanThorpe/spamassassin-vba-macro/master/ole2macro.pm
I then accessed the spamassassin lint page <tools menu, SpamAssassin Lint (Test) or https://<efabox>/mailscanner/sa_lint.php>, to see if the new settings were picked up and search for "ole2" and found this

Code: Select all

Apr 7 13:58:42.899 [3259] dbg: config: fixed relative path: /etc/mail/spamassassin/ole2macro.pm	0.41006
Apr 7 13:58:42.899 [3259] dbg: plugin: loading OLE2Macro from /etc/mail/spamassassin/ole2macro.pm	0.00029
Looking good so far.

Now, I sent myself two word documents - one macro enabled document and one not:

with macro

Code: Select all

SpamAssassin Score: 8.08
Spam Report:    
Score    Matching Rule        Description
 3.50    BAYES_99             Bayes spam probability is 99 to 100%
 0.10    DKIM_SIGNED          Message has a DKIM or DK signature, not necessarily valid
-0.10    DKIM_VALID           Message has at least one valid DKIM or DK signature
-0.10    DKIM_VALID_AU        Message has a valid DKIM or DK signature from author's domain
 0.00    FREEMAIL_FROM        Sender email is commonly abused enduser mail provider
 0.00    HTML_MESSAGE         HTML included in message
 4.00    MICROSOFT_OLE2MACRO  
-0.00    SPF_HELO_PASS        SPF: HELO matches SPF record
 0.67    SPF_SOFTFAIL         SPF: sender does not match SPF record (softfail)
 0.01    T_FREEMAIL_DOC_PDF

without macro

Code: Select all

SpamAssassin Score: 4.08
Spam Report:    
Score    Matching Rule        Description
 3.50    BAYES_99             Bayes spam probability is 99 to 100%
 0.10    DKIM_SIGNED          Message has a DKIM or DK signature, not necessarily valid
-0.10    DKIM_VALID           Message has at least one valid DKIM or DK signature
-0.10    DKIM_VALID_AU        Message has a valid DKIM or DK signature from author's domain
 0.00    FREEMAIL_FROM        Sender email is commonly abused enduser mail provider
 0.00    HTML_MESSAGE         HTML included in message
-0.00    SPF_HELO_PASS        SPF: HELO matches SPF record
 0.67    SPF_SOFTFAIL         SPF: sender does not match SPF record (softfail)
 0.01    T_FREEMAIL_DOC_PDF
and Bob's yer Uncle; which is another way of saying it works like a charm.

Perhaps you didn't put the module in the correct location? Or perhaps you put the configuration settings in the wrong location?

This is a useful spam assassin addition. There is almost *no* justifiable reason for sending macro enabled MS Word documents that I can think of.

I'll be curious to see how many documented get flagged by this test going forward.
twoeyes
Posts: 5
Joined: 06 Aug 2015 23:31

Re: Help with Custom SpamAssassin Module

Post by twoeyes »

Thanks so much!

I think the problem was that I had the ole2macro.pm in the wrong folder.

Plus the yum line is helpful... that would have been my next challenge.

I'm hoping this proves useful too. These macro viruses in Word Doc files can be scary legit looking...
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

twoeyes, glad to help. thanks for pointing out the module.

shawn, I seem to cause you a lot of extra future work. Thanks for your work in improving the software.

one small comment; the score of 4 might be a little high. while I personally dislike macros in word documents, there may be legitimate reasons for it. I'll keep an eye on my system and see if any such cases appear and report back.
Rob.M.P
Posts: 26
Joined: 28 Jan 2014 23:01

Re: Help with Custom SpamAssassin Module

Post by Rob.M.P »

Don't suppose anyone can help -

After completing all steps and running SpamAssassin Lint (Test) the ole2macro.pm is not picked up.

The Ole2macro.pm file is located in /etc/mail/spamassassin/
I have edited the local.cf file to include these line -

loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

Check the file permissions and ownership of the module. What are they?

What version of EFA?
Rob.M.P
Posts: 26
Joined: 28 Jan 2014 23:01

Re: Help with Custom SpamAssassin Module

Post by Rob.M.P »

Thanks for the quick response

3.0.0.9

Please see attached showing file permissions
Attachments
Capture-2.JPG
Capture-2.JPG (29.13 KiB) Viewed 16768 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

Only because you caught be just before I was heading to bed.

How did you the file permission properties? Your screen shot looks like a windows dialog box, yet EFA is a linux based system. How did you access the file to get the properties?
Rob.M.P
Posts: 26
Joined: 28 Jan 2014 23:01

Re: Help with Custom SpamAssassin Module

Post by Rob.M.P »

Using winscp to login to the file structure
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

Thanks.

Well, the permissions, ownership and file size matches mine.

I don't think I restarted mailscanner after installing this module, and I don't think it's necessary, but could you restart the mailscanner service? (Do you know how to log into the machine using ssh and run the "sudo service MailScanner restart" command?)

If you can do that, please recheck the spamassassin lint results.

Next, can you tell me where in the /etc/mail/spamassassin/local.cf you added your configuration lines? Specifically, starting at which line number?
Rob.M.P
Posts: 26
Joined: 28 Jan 2014 23:01

Re: Help with Custom SpamAssassin Module

Post by Rob.M.P »

Hi pdwalker,

Thanks so much for your help.

I moved the configuration lines to the top of the local.cf file. I originally had it located just above the following line -

'endif # Mail::SpamAssasin::Plugin::Shortcircuit'

Thanks again.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

It should be just below that line, outside of the if/endif blocks.

I've mine at the bottom of the file. That should fix your problem.

- Paul
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

*warning*

While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.

See this issue, for example.
dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: Help with Custom SpamAssassin Module

Post by dbrunt »

I'm trying to make this work but SA is not adding the scoring when I send a macro enabled .XLS through.
Two installs of EFA: 3.0.0.8 and the other is 3.0.1.1
In the SpamAssassin Lint (Test) the ole2macro.pm is picked up.
Any ideas?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

email yourself a word document with an enabled macro and see if that is caught.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

better yet, email it to me if you can and let's see if my system catches it. I'll send you a pm with my email address
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help with Custom SpamAssassin Module

Post by pdwalker »

pdwalker wrote:*warning*

While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.

See this issue, for example.
Update: there are quite a number of office documents with enabled macros that are not detected. Be warned that this plugin is only useful for some, not all documents, so reply on this with caution.
eltonb
Posts: 2
Joined: 20 Jan 2017 15:36

Re: Help with Custom SpamAssassin Module

Post by eltonb »

I just installed and setup EFA 3.0.1.8 to route mail from Internet to my MS Exchange server.
Mailflow is working correctly.

I edited clamd.conf to:
OLE2BlockMacros yes
And saved the change.

However, I just sent myself a .doc Word 2007 attachment with a macro and it went through.
The test file I am using is from:
http://www3.safenet-inc.com/csrt/esafe- ... Macro.html
or
http://www3.safenet-inc.com/csrt/esafe- ... PMacro.doc

Do I need to restart clamd for my change to clamd.conf to take effect?
Is there something else I need to do?
Beyond installing EFA and configuring it to route mail to my Exchange server, I have not made any other changes.

Is there any difference in using clamd to block macros versus using the JonathanThorpe ole2macro.pm method?
eltonb
Posts: 2
Joined: 20 Jan 2017 15:36

Re: Help with Custom SpamAssassin Module

Post by eltonb »

I restarted the entire system, and now its catching and blocking the macro file, so I assume clamd does need to be restarted.

I finally found the command online for restarting clamd
I used the command:
sudo service clamd restart

It stops OK, but on start, I get the following. Is this normal behavior?

Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
[root@EFA-Server admin]#
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Help with Custom SpamAssassin Module

Post by shawniverson »

yes. There are some yara rules present that don't apply to Linux.
Post Reply