Thank you RW, that was it. Although, I don't understand why those rules aren't defined by default - the manpage suggests using ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro for the rules, and the plugin isn't loaded by default, so why not have those rules all the time with ifplugin? Anyway, one other thing I noticed (unless I'm missing something again), is that some of the default macro extensions are incorrect:
olemacro_exts (default: (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$) Set the case-insensitive regexp used to configure the extensions the plugin targets for macro scanning olemacro_macro_exts (default: (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$) Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a macro olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$) Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files The .docx, .xlsx, and .pptx files don't contain macros: https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions Of course, a spammer could rename a macro-containing word file as .docx, but I guess that's what the olemacro_extended_scan option to look for renamed files is for. Thanks again. On Friday, October 30, 2020, 7:05:49 PM EDT, RW <rwmailli...@googlemail.com> wrote: You didn't mention creating the rules. The tests have their own definitions. see perldoc Mail::SpamAssassin::Plugin::OLEVBMacro
