Help with Custom SpamAssassin Module
Help with Custom SpamAssassin Module
Hi,
I'm trying to install this module into spamassasin: https://github.com/JonathanThorpe/spama ... -vba-macro
We've been getting a scary amount of Word documents with macros get through EFA. Sooner or a later a user is going to run the macro... so I'd like to spam bin them.
I'm trying to install the above module, but I can't figure out where to put the files and settings.
I've put the pm file here: /etc/spamassasin
Tried to add the loadplugin line into init.pre
And the rest in local.cf
But it doesn't seem to work... and I don't even know where to start to debug it.
LC
I'm trying to install this module into spamassasin: https://github.com/JonathanThorpe/spama ... -vba-macro
We've been getting a scary amount of Word documents with macros get through EFA. Sooner or a later a user is going to run the macro... so I'd like to spam bin them.
I'm trying to install the above module, but I can't figure out where to put the files and settings.
I've put the pm file here: /etc/spamassasin
Tried to add the loadplugin line into init.pre
And the rest in local.cf
But it doesn't seem to work... and I don't even know where to start to debug it.
LC
Re: Help with Custom SpamAssassin Module
The instructions at https://github.com/JonathanThorpe/spama ... -vba-macro seem pretty clear to me.
Can you tell me exactly what steps you did to install this spamassassin module?
Can you tell me exactly what steps you did to install this spamassassin module?
Re: Help with Custom SpamAssassin Module
I'm just having a peek at the perl modules available and comparing that to what this plugin needs.
According to the docs, the following modules are required:
So, at a guess, unless you want to try installing the missing perl modules by hand (and *shudder* end up in perl module dependency hell), it looks like the necessary packages are not available for you to install to use this spamassassin module.
According to the docs, the following modules are required:
- IO::Uncompress::Unzip
- IO::Scalar
- File::MimeInfo::Magic
- perl-File-MimeInfo.noarch
So, at a guess, unless you want to try installing the missing perl modules by hand (and *shudder* end up in perl module dependency hell), it looks like the necessary packages are not available for you to install to use this spamassassin module.
Re: Help with Custom SpamAssassin Module
Thanks pdwalker.
As far as I can tell, the required modules are already installed in EFA.
When I run these:
perl -e 'use IO::Uncompress::Unzip'
perl -e 'use IO::Scalar'
I get back to bash without any error messages... which some webpage said was good. If I try something like: perl -e 'use IO::ScalarFakeModule' - I get an obvious error.
The MimeInfo is supposed to be optional. And when I read the .pm file, I think that's true - but I don't really know perl.
I believe I've followed the docs and sent appropriate test emails, but I see no evidence of it doing anything.
I put the .pm file in /etc/spamassassin
And added to code to /etc/mail/spamassassin/local.cf (I also tried init.pre)
I discovered the spamassassin --lint command, and it comes up clean - though, I'm not 100% sure this uses the same configuration files that MailScanner uses.
Do attachments get forwarded to SA in the EFA setup? I flipped the "Include Binary Attachments In SpamAssassin" to yes in the MailScanner.conf file. Not sure if that did anything or not.
How do I tell if the ole2macro.pm file is ever "used"? Is there an easy way to post to a log file from inside a pm?
I'm in way over my head now... as usual...
As far as I can tell, the required modules are already installed in EFA.
When I run these:
perl -e 'use IO::Uncompress::Unzip'
perl -e 'use IO::Scalar'
I get back to bash without any error messages... which some webpage said was good. If I try something like: perl -e 'use IO::ScalarFakeModule' - I get an obvious error.
The MimeInfo is supposed to be optional. And when I read the .pm file, I think that's true - but I don't really know perl.
I believe I've followed the docs and sent appropriate test emails, but I see no evidence of it doing anything.
I put the .pm file in /etc/spamassassin
And added to code to /etc/mail/spamassassin/local.cf (I also tried init.pre)
I discovered the spamassassin --lint command, and it comes up clean - though, I'm not 100% sure this uses the same configuration files that MailScanner uses.
Do attachments get forwarded to SA in the EFA setup? I flipped the "Include Binary Attachments In SpamAssassin" to yes in the MailScanner.conf file. Not sure if that did anything or not.
How do I tell if the ole2macro.pm file is ever "used"? Is there an easy way to post to a log file from inside a pm?
I'm in way over my head now... as usual...
Re: Help with Custom SpamAssassin Module
How about that, so you're right. Those modules exist. No reason for me not to try it out then.
So I installed the optional perl module
I then edited /etc/mail/spamassassin/local.cf and added in the following lines:
I then downloaded and copied the ole2macro.pm file to /etc/mail/spamassassin/
I then accessed the spamassassin lint page <tools menu, SpamAssassin Lint (Test) or https://<efabox>/mailscanner/sa_lint.php>, to see if the new settings were picked up and search for "ole2" and found this
Looking good so far.
Now, I sent myself two word documents - one macro enabled document and one not:
with macro
without macro
and Bob's yer Uncle; which is another way of saying it works like a charm.
Perhaps you didn't put the module in the correct location? Or perhaps you put the configuration settings in the wrong location?
This is a useful spam assassin addition. There is almost *no* justifiable reason for sending macro enabled MS Word documents that I can think of.
I'll be curious to see how many documented get flagged by this test going forward.
So I installed the optional perl module
Code: Select all
yum install perl-File-MimeInfo.noarch
Code: Select all
loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
Code: Select all
cd /etc/mail/spamassassin/
wget https://raw.githubusercontent.com/JonathanThorpe/spamassassin-vba-macro/master/ole2macro.pm
Code: Select all
Apr 7 13:58:42.899 [3259] dbg: config: fixed relative path: /etc/mail/spamassassin/ole2macro.pm 0.41006
Apr 7 13:58:42.899 [3259] dbg: plugin: loading OLE2Macro from /etc/mail/spamassassin/ole2macro.pm 0.00029
Now, I sent myself two word documents - one macro enabled document and one not:
with macro
Code: Select all
SpamAssassin Score: 8.08
Spam Report:
Score Matching Rule Description
3.50 BAYES_99 Bayes spam probability is 99 to 100%
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.10 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.10 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
0.00 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
0.00 HTML_MESSAGE HTML included in message
4.00 MICROSOFT_OLE2MACRO
-0.00 SPF_HELO_PASS SPF: HELO matches SPF record
0.67 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.01 T_FREEMAIL_DOC_PDF
without macro
Code: Select all
SpamAssassin Score: 4.08
Spam Report:
Score Matching Rule Description
3.50 BAYES_99 Bayes spam probability is 99 to 100%
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.10 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.10 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
0.00 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
0.00 HTML_MESSAGE HTML included in message
-0.00 SPF_HELO_PASS SPF: HELO matches SPF record
0.67 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.01 T_FREEMAIL_DOC_PDF
Perhaps you didn't put the module in the correct location? Or perhaps you put the configuration settings in the wrong location?
This is a useful spam assassin addition. There is almost *no* justifiable reason for sending macro enabled MS Word documents that I can think of.
I'll be curious to see how many documented get flagged by this test going forward.
Re: Help with Custom SpamAssassin Module
Thanks so much!
I think the problem was that I had the ole2macro.pm in the wrong folder.
Plus the yum line is helpful... that would have been my next challenge.
I'm hoping this proves useful too. These macro viruses in Word Doc files can be scary legit looking...
I think the problem was that I had the ole2macro.pm in the wrong folder.
Plus the yum line is helpful... that would have been my next challenge.
I'm hoping this proves useful too. These macro viruses in Word Doc files can be scary legit looking...
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Help with Custom SpamAssassin Module
twoeyes, glad to help. thanks for pointing out the module.
shawn, I seem to cause you a lot of extra future work. Thanks for your work in improving the software.
one small comment; the score of 4 might be a little high. while I personally dislike macros in word documents, there may be legitimate reasons for it. I'll keep an eye on my system and see if any such cases appear and report back.
shawn, I seem to cause you a lot of extra future work. Thanks for your work in improving the software.
one small comment; the score of 4 might be a little high. while I personally dislike macros in word documents, there may be legitimate reasons for it. I'll keep an eye on my system and see if any such cases appear and report back.
Re: Help with Custom SpamAssassin Module
Don't suppose anyone can help -
After completing all steps and running SpamAssassin Lint (Test) the ole2macro.pm is not picked up.
The Ole2macro.pm file is located in /etc/mail/spamassassin/
I have edited the local.cf file to include these line -
loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
After completing all steps and running SpamAssassin Lint (Test) the ole2macro.pm is not picked up.
The Ole2macro.pm file is located in /etc/mail/spamassassin/
I have edited the local.cf file to include these line -
loadplugin OLE2Macro ole2macro.pm
body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
describe MICROSOFT_OLE2MACRO Has an attachment that contains an OLE2 Macro
score MICROSOFT_OLE2MACRO 4
Re: Help with Custom SpamAssassin Module
Check the file permissions and ownership of the module. What are they?
What version of EFA?
What version of EFA?
Re: Help with Custom SpamAssassin Module
Thanks for the quick response
3.0.0.9
Please see attached showing file permissions
3.0.0.9
Please see attached showing file permissions
- Attachments
-
- Capture-2.JPG (29.13 KiB) Viewed 16897 times
Re: Help with Custom SpamAssassin Module
Only because you caught be just before I was heading to bed.
How did you the file permission properties? Your screen shot looks like a windows dialog box, yet EFA is a linux based system. How did you access the file to get the properties?
How did you the file permission properties? Your screen shot looks like a windows dialog box, yet EFA is a linux based system. How did you access the file to get the properties?
Re: Help with Custom SpamAssassin Module
Using winscp to login to the file structure
Re: Help with Custom SpamAssassin Module
Thanks.
Well, the permissions, ownership and file size matches mine.
I don't think I restarted mailscanner after installing this module, and I don't think it's necessary, but could you restart the mailscanner service? (Do you know how to log into the machine using ssh and run the "sudo service MailScanner restart" command?)
If you can do that, please recheck the spamassassin lint results.
Next, can you tell me where in the /etc/mail/spamassassin/local.cf you added your configuration lines? Specifically, starting at which line number?
Well, the permissions, ownership and file size matches mine.
I don't think I restarted mailscanner after installing this module, and I don't think it's necessary, but could you restart the mailscanner service? (Do you know how to log into the machine using ssh and run the "sudo service MailScanner restart" command?)
If you can do that, please recheck the spamassassin lint results.
Next, can you tell me where in the /etc/mail/spamassassin/local.cf you added your configuration lines? Specifically, starting at which line number?
Re: Help with Custom SpamAssassin Module
Hi pdwalker,
Thanks so much for your help.
I moved the configuration lines to the top of the local.cf file. I originally had it located just above the following line -
'endif # Mail::SpamAssasin::Plugin::Shortcircuit'
Thanks again.
Thanks so much for your help.
I moved the configuration lines to the top of the local.cf file. I originally had it located just above the following line -
'endif # Mail::SpamAssasin::Plugin::Shortcircuit'
Thanks again.
Re: Help with Custom SpamAssassin Module
It should be just below that line, outside of the if/endif blocks.
I've mine at the bottom of the file. That should fix your problem.
- Paul
I've mine at the bottom of the file. That should fix your problem.
- Paul
Re: Help with Custom SpamAssassin Module
*warning*
While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.
See this issue, for example.
While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.
See this issue, for example.
Re: Help with Custom SpamAssassin Module
I'm trying to make this work but SA is not adding the scoring when I send a macro enabled .XLS through.
Two installs of EFA: 3.0.0.8 and the other is 3.0.1.1
In the SpamAssassin Lint (Test) the ole2macro.pm is picked up.
Any ideas?
Two installs of EFA: 3.0.0.8 and the other is 3.0.1.1
In the SpamAssassin Lint (Test) the ole2macro.pm is picked up.
Any ideas?
Re: Help with Custom SpamAssassin Module
email yourself a word document with an enabled macro and see if that is caught.
Re: Help with Custom SpamAssassin Module
better yet, email it to me if you can and let's see if my system catches it. I'll send you a pm with my email address
Re: Help with Custom SpamAssassin Module
Update: there are quite a number of office documents with enabled macros that are not detected. Be warned that this plugin is only useful for some, not all documents, so reply on this with caution.pdwalker wrote:*warning*
While this module is useful, it does not detect all the possible types of Microsoft files containing macro viruses. It only gets some.
See this issue, for example.
Re: Help with Custom SpamAssassin Module
I just installed and setup EFA 3.0.1.8 to route mail from Internet to my MS Exchange server.
Mailflow is working correctly.
I edited clamd.conf to:
OLE2BlockMacros yes
And saved the change.
However, I just sent myself a .doc Word 2007 attachment with a macro and it went through.
The test file I am using is from:
http://www3.safenet-inc.com/csrt/esafe- ... Macro.html
or
http://www3.safenet-inc.com/csrt/esafe- ... PMacro.doc
Do I need to restart clamd for my change to clamd.conf to take effect?
Is there something else I need to do?
Beyond installing EFA and configuring it to route mail to my Exchange server, I have not made any other changes.
Is there any difference in using clamd to block macros versus using the JonathanThorpe ole2macro.pm method?
Mailflow is working correctly.
I edited clamd.conf to:
OLE2BlockMacros yes
And saved the change.
However, I just sent myself a .doc Word 2007 attachment with a macro and it went through.
The test file I am using is from:
http://www3.safenet-inc.com/csrt/esafe- ... Macro.html
or
http://www3.safenet-inc.com/csrt/esafe- ... PMacro.doc
Do I need to restart clamd for my change to clamd.conf to take effect?
Is there something else I need to do?
Beyond installing EFA and configuring it to route mail to my Exchange server, I have not made any other changes.
Is there any difference in using clamd to block macros versus using the JonathanThorpe ole2macro.pm method?
Re: Help with Custom SpamAssassin Module
I restarted the entire system, and now its catching and blocking the macro file, so I assume clamd does need to be restarted.
I finally found the command online for restarting clamd
I used the command:
sudo service clamd restart
It stops OK, but on start, I get the following. Is this normal behavior?
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
[root@EFA-Server admin]#
I finally found the command online for restarting clamd
I used the command:
sudo service clamd restart
It stops OK, but on start, I get the following. Is this normal behavior?
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[ OK ]
[root@EFA-Server admin]#
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Help with Custom SpamAssassin Module
yes. There are some yara rules present that don't apply to Linux.