On Wed, 18 Feb 2015 09:56:56 -0700 Jesse Norell <je...@kci.net> wrote:
> Another option might be to add a virus scanner to your pop/imap > server, so mail is re-scanned before being sent to the client? I wrote some Perl to try to detect MS Office documents with macros in them. I'm not sure it's 100% successful, but it does seem to detect a large percentage of them. Unfortunately, I found out to my dismay that quite a few legitimate MS Office documents have macros, so you can only use this to add points, not to reject. The code fragment is below (it's not a complete solution, but it gives you the gist). It's not a SpamAssassin plugin (because it's part of our MIMEDefang framework) but it shouldn't be too hard to adapt. The essential part is to look for the two strings $marker1 and $marker2 in the document. Regards, David. ============================================================================== # These markers were documented at: # http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/ # as of 2015-01-15 # $entity is a MIME::Entity that's the parsed message my $marker1 = "\xd0\xcf\x11\xe0"; my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00"; sub contains_office_macros { my ($self, $entity) = @_; my @parts = $entity->parts(); if (scalar(@parts) > 0) { foreach my $part (@parts) { if ($self->contains_office_macros($part)) { return 1; } } return 0; } my $is_msoffice_extension = 0; foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) { my $possible = $entity->head->mime_attr($attr_name); $possible = decode_mimewords($possible); if ($possible =~ /\.(doc|docx)$/i) { $is_msoffice_extension = 1; last; } } return 0 unless $is_msoffice_extension; return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path); my $fp; if (!open($fp, '<:raw', $entity->bodyhandle->path)) { return 0; } my $contents; { local $/; $contents = <$fp>; close($fp); } if (index($contents, $marker1) > -1 && index($contents, $marker2) > -1) { return 1; } return 0; }
