[CentOS] Detecting empty office doc containing virus macro

Ned Slider ned at unixmail.co.uk
Thu Oct 29 20:37:03 UTC 2015 


On 29/10/15 10:51, Gary Stainburn wrote:
> On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
>> On 28/10/15 11:55, Gary Stainburn wrote:
>>> We are receiving LOTS of emails that contain empty XLS or DOC documents
>>> with embedded virus macros.  These are getting past SPAMASSASSIN, Clamav
>>> and Kaspersky.
>>>
>>> I'm trying to write a filter for EXIM to block these emails but I need to
>>> know a good, quick, command-line to detect an empty doc with a macro.
>>>
>>> Is there anything available that I can use??
>>>
>>> I have managed to write a PERL script to detect empty xls xlsx, doc and
>>> docx files but I cannot detect whether they have any macros embedded
>>>
>>> Gary
>>
>> If you've got a script to detect empty docs then it should be relatively
>> easy to detect these. I assume empty attachments are not normal in your
>> mail flows?
>>
> 
> I have come to the conculsiion that I am just going to have to stick with 
> detecting empty documents and forget the macro checks.
> 
>> I would look to write some custom SpamAssassin rules, maybe
>> incorporating your script, to detect these and filter them out.
> 
> I would love to be able to write custom Spamassassin rules but do not know how 
> to do this. All I have done in the past is add small pattern matching rules 
> to local.cf
> 

That's a great place to start. Combining multiple simple rules in a meta
rule is also a great way to detect many spams. If you can find 3 or 4
factors specific to these spam (the more unique the better), combining
them usually gives excellent results. For example, they all contain a
doc,docx,xls,xlsx attachment, they all contain a specific phrase or
something unique in the Subject, maybe they all contain a URL or email
address in the body etc. Individually the rules might not be
particularly good indicators of spam, but when combined together they
may become highly effective.

This might not be the best forum to discuss in detail; the SpamAssassin
mailing list is a great place to get help with writing rules.

> Another rule I would like to add to Spamassassin is to catch emails where the 
> subject starts with the email local part in brackets as we get a LOT of those 
> too.
> 
>>
>> Are you able to post some examples to pastebin?
> 
> http://www.stainburn.com/virus_files/I0000040777.doc
> http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc

Sorry, I meant examples of the emails (including the full headers,
redacted where necessary), not the attachments. We might be able to
point you in the right direction or offer a few thoughts on how to
detect them in SpamAssassin.

More information about the CentOS mailing list