Re: [Mimedefang] Word Macro warning in subject.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 12 Feb 2016, System Operations wrote:
I made the changes to the sub contains_office_macros below, I hope that
these changes are correct.
Does the sub contains_office_macros need be called by sub filter_multipart
only or
does it need to be called by the sub filter as well?
you want to test files only, hence, no need in filter_multipart, but
filter only.
Also, see this snippet from the man page:
The heart of mimedefang-filter is the filter procedure. See the
examples that came with MIMEDefang to learn to write a filter. The filter
is called with the following arguments:
$entity
The MIME::Entity object. (See the MIME::tools Perl module
documentation.)
$fname The suggested attachment filename, or "" if none was supplied.
$ext The file extension (all characters from the rightmost period to
the end of the filename.)
$type The MIME type (for example, "text/plain".)
you should use $ext and $type to probe these strings, if you check the
content, because MIMEDefang takes great care to populate sane values
there. They replace the foreach loop. Also note, if the MIME type suggests
"MS Office style document", the filename need not end in .doc/.xls/ .
Many MUAs accept those parts as MSOffice doc, too.
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
according your reference, marker1 must be on location == 0 (start of file)
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBVr2ZqFGgR0+MU/4GAQL8fAf8CbdC+jrh7Kf+6BdTmVm8+r2h7twgYzwm
KzYu8RM4RQsHiViaYJIP2/IMs8ur2qJik4f6FYs7IrcZ3uFuYwXpT8ySbYJlEIMC
Rz0m8mMmMPdtv8n2mAfZmgJc4mGf1QO6zqiJFEEMo/5iXlFo9auDhxsCJ09aR0X+
NJ8udQa3IXfpTTEZBvuuV2otmAyzozSH9kXUWqPuS7uAumuIlbaVpzbRUdwAk8Kz
4U9VzRM0pPTY8cKqo6J41/SBga08+3lxj5FW+Nj1SSMh3sVSCe0ZNNVSt9gsVJb7
6LS/c6xE3EQm7q9pPazV8HcDeswP7h2unqwwNt+GBO50ocPDT3H/Lg==
=88Uy
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Word Macro warning in subject.
Thanks Steffen,
I now call the subroutine using if (contains_office_macros($entity))...
I made the changes to the sub contains_office_macros below, I hope
that these changes are correct.
Does the sub contains_office_macros need be called by sub
filter_multipart only or
does it need to be called by the sub filter as well?
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (contains_office_macros($entity)) {
action_notify_administrator("An attachment of type $type, sent by
$Sender for $Recip named $fname contains macros.\n");
my $subject = $entity->head->get('Subject',0);
action_change_header('Subject', "[Warning Attachment $fname
contains macros (possible virus):] $Subject");
}
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return;
}
return action_accept();
}
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Word Macro warning in subject.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 9 Feb 2016, System Operations wrote:
Hmm, do you use SpamAssassin.
I thought one could add search strings to ClamAV as well, but cannot find
any pointers in the internet.
Slave 1 stderr: Can't call method "parts" on an undefined value at
/etc/mail/mimedefang-filter
There is no line number?
sub filter {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (contains_office_macros) {
^^ missing ($entity)
like many procedural languages you need to pass argumenents in ()'s
action_notify_administrator("An attachment of type $type, sent by
$Sender for $Recip named $fname contains macros.\n");
my $subject = $entity->head->get('Subject',0);
action_change_header('Subject', "[Warning Attachment $fname contains
macros (possible virus):] $Subject");
}
return action_accept();
}
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (contains_office_macros) {
action_notify_administrator("An attachment of type $type, sent by
$Sender for $Recip named $fname contains macros.\n");
my $subject = $entity->head->get('Subject',0);
action_change_header('Subject', "[Warning Attachment $fname contains
macros (possible virus):] $Subject");
}
return action_accept();
}
==
# These markers were documented at:
#http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($self, $entity) = @_;
^^ remove $self,
there is just one argument, also remove any $self->
from the code below.
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
foreach my $part (@parts) {
if ($self->contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
this code pulls the whole part into memory.
if (index($contents, $marker1) > -1 &&
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBVrxL0lGgR0+MU/4GAQJsGggAjsFY1BY0d7I8d8DWOhxYOzUMKH267Wdz
d4rAmWFKYenM8ucDBFAxS1cqh+t30jdn+bz5EyEW31tHqDLyzLOHOGCsfOBis4Vr
uUTfQ08Tl80eQCbK97hlUN8C1FvJf9ONJZf2wcBKy+T7hrQ+7zjUqaZhnpDHLZba
79A/M9iXll5PLcQJPSV6YgL3lDOfYzuIlP7V6Iq8dyFVzdoqlxjkuww6SjPBHpA9
/sfeMSbYsCPGWu+LxSMeieAUF3UbaOIpSe/cgMutJEPle7XPV9THX8oMcDQucazo
AaEhxArOEDgTAmR/A1ZNaeKehZwlMWYMS13bGb6ntjvhcEUWVs1gTg==
=36Gx
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Word Macro warning in subject.
2 different AV scanners dont pick word macro virus.
I am not a perl coder and am trying to get the code below working
Any help with this would be appreciated. Thanks
Slave 1 stderr: Can't call method "parts" on an undefined value at
/etc/mail/mimedefang-filter
sub filter {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (contains_office_macros) {
action_notify_administrator("An attachment of type $type, sent by $Sender
for $Recip named $fname contains macros.\n");
my $subject = $entity->head->get('Subject',0);
action_change_header('Subject', "[Warning Attachment $fname contains macros
(possible virus):] $Subject");
}
return action_accept();
}
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (contains_office_macros) {
action_notify_administrator("An attachment of type $type, sent by $Sender
for $Recip named $fname contains macros.\n");
my $subject = $entity->head->get('Subject',0);
action_change_header('Subject', "[Warning Attachment $fname contains macros
(possible virus):] $Subject");
}
return action_accept();
}
==
# These markers were documented at:
#http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($self, $entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
foreach my $part (@parts) {
if ($self->contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
