On 28/10/15 11:55, Gary Stainburn wrote:
We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.
I'm trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.
Is there anything available that I can use??
I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded
Gary
If you've got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?
I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.
Are you able to post some examples to pastebin?