On Tue, 6 Sep 2016 17:50:25 -0400 Alex <mysqlstud...@gmail.com> wrote:
[snip] > > Workbook_Open > > Document_Open > > Auto_Open > > AutoOpen > Is there a simple way to identify whether the attachment/macro > contains those listed functions, without the ability to use > mimedefang? Not that I know of, though you could write a SpamAssassin plugin, I suppose. Our algorithm simply searches for those strings in an Office documents if macros were detected. The newer docx, xlsx, etc. variants are simply zip files in disguise, so we pipe those through "unzip -p" While a document could contain macros, and contain one of those strings just by coincidence, we judged the margin of error to be good enough for our purposes. All in all, it's fiddly, tedious, and requires a fair bit of Perl programming. It's also quite resource-intensive, so make sure you have the CPU horsepower. Regards, Dianne.
