On Wed, 6 Apr 2016, Alex wrote:
Hi,
On Wed, Apr 6, 2016 at 3:12 AM, <m...@junc.eu> wrote:
Alex skrev den 2016-04-06 02:40:
http://pastebin.com/FTzbQcHb
The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate
change clamd to block this mail, or score this with highter score in
amavisd, but blocking only make sense if you use amavisd-milter so it would
reject if it contains macros, here i just use clamav-milter not amavisd
its not spam, its really malware, handle is so is suggested
This one may be spam/malware, but the vast majority of them are not.
Blocking all files with macros is an obvious solution, but not a good
one.
Is it even possible to use SA to create a rule based on whether it
contains an attachment that has macros? At least then we could create
more aggressive meta rules.
FWIW,
Your example hits on the Sanesecurity custom ClamAV defs (specifically
Sanesecurity.Badmacro.Doc.objl.UNOFFICIAL).
I have two instances of ClamAV running;
One with just the stock defs from ClamAV which I use in a front-end milter to
outright SMTP-reject any detected viri.
The second has all the algorithmic, PUAs, etc bells-&-whistles activated plus
a full set of 3'rd party "unofficial" defs (Sanesecurity, winnow, bofhland,
etc) that is just used thru the SA Clamav.pm plugin.
That adds a custom 'X-Spam-Clamav' header to the message that contains the name
of the def that fired. I then have SA rules to score against based upon that.
So for example, "Sanesecurity.Badmacro" can be used to trigger a rule
to hit messages which need to be quarantined, etc.
You could create a custom ClamAV def that would look for any kind of macro
inside the various popular documents (.doc, .rtf, .pdf, etc) (ClamAV is good
at knowing how to unpack/scan attachments, so use it as a scanning engine).
You could the craft special handling based upon the detection of said macros.
(delivery time quarantining etc).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
