On 29/10/15 10:51, Gary Stainburn wrote: > On Wednesday 28 October 2015 21:12:19 Ned Slider wrote: >> On 28/10/15 11:55, Gary Stainburn wrote: >>> We are receiving LOTS of emails that contain empty XLS or DOC documents >>> with embedded virus macros. These are getting past SPAMASSASSIN, Clamav >>> and Kaspersky. >>> >>> I'm trying to write a filter for EXIM to block these emails but I need to >>> know a good, quick, command-line to detect an empty doc with a macro. >>> >>> Is there anything available that I can use?? >>> >>> I have managed to write a PERL script to detect empty xls xlsx, doc and >>> docx files but I cannot detect whether they have any macros embedded >>> >>> Gary >> >> If you've got a script to detect empty docs then it should be relatively >> easy to detect these. I assume empty attachments are not normal in your >> mail flows? >> > > I have come to the conculsiion that I am just going to have to stick with > detecting empty documents and forget the macro checks. > >> I would look to write some custom SpamAssassin rules, maybe >> incorporating your script, to detect these and filter them out. > > I would love to be able to write custom Spamassassin rules but do not know how > to do this. All I have done in the past is add small pattern matching rules > to local.cf > That's a great place to start. Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4 factors specific to these spam (the more unique the better), combining them usually gives excellent results. For example, they all contain a doc,docx,xls,xlsx attachment, they all contain a specific phrase or something unique in the Subject, maybe they all contain a URL or email address in the body etc. Individually the rules might not be particularly good indicators of spam, but when combined together they may become highly effective. This might not be the best forum to discuss in detail; the SpamAssassin mailing list is a great place to get help with writing rules. > Another rule I would like to add to Spamassassin is to catch emails where the > subject starts with the email local part in brackets as we get a LOT of those > too. > >> >> Are you able to post some examples to pastebin? > > http://www.stainburn.com/virus_files/I0000040777.doc > http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc Sorry, I meant examples of the emails (including the full headers, redacted where necessary), not the attachments. We might be able to point you in the right direction or offer a few thoughts on how to detect them in SpamAssassin.