Hi, On Mon, Dec 21, 2015 at 6:14 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 12/21/2015 5:46 PM, Alex wrote: >> >> For the past few days we've been hit with Word macro viruses/spam that >> isn't being tagged by clamav or spamassassin, and I thought someone >> might be able to take a look: >> >> http://pastebin.com/cAWcAbm2 >> >> This one still isn't tagged by clamav/sanesecurity. I've submitted >> this sample, so perhaps it is now, but I thought someone might have >> some ideas for a meta or something else in the message that could more >> generally tag these? >> >> Anyone else seeing these? I've also already added the IP to the client >> blocklist. > > We've had pretty good luck combating these from a lot of angles. Diane wrote > a nice piece about this at > http://lists.roaringpenguin.com/pipermail/mimedefang/2015-February/037580.html > & > http://lists.roaringpenguin.com/pipermail/mimedefang/2015-February/037579.html
Is mimedefang the de facto method for blocking Word macro files? I haven't ever implemented it. Can it work with postfix/amavis? The second thread involving stripping attachments with macros is probably not what we want. What is the generally accepted policy of other organizations? Has there been any progress on using Archive::Zip to add points to Word macro docs? Are there any other approaches to consider for doing this? Thanks, Alex
