Re: [Mimedefang] Word Macro warning in subject.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 12 Feb 2016, System Operations wrote: I made the changes to the sub contains_office_macros below, I hope that these changes are correct. Does the sub contains_office_macros need be called by sub filter_multipart only or does it need to be called by the sub filter as well? you want to test files only, hence, no need in filter_multipart, but filter only. Also, see this snippet from the man page: The heart of mimedefang-filter is the filter procedure. See the examples that came with MIMEDefang to learn to write a filter. The filter is called with the following arguments: $entity The MIME::Entity object. (See the MIME::tools Perl module documentation.) $fname The suggested attachment filename, or "" if none was supplied. $ext The file extension (all characters from the rightmost period to the end of the filename.) $type The MIME type (for example, "text/plain".) you should use $ext and $type to probe these strings, if you check the content, because MIMEDefang takes great care to populate sane values there. They replace the foreach loop. Also note, if the MIME type suggests "MS Office style document", the filename need not end in .doc/.xls/ . Many MUAs accept those parts as MSOffice doc, too. # These markers were documented at: # http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/ # as of 2015-01-15 # $entity is a MIME::Entity that's the parsed message my $marker1 = "\xd0\xcf\x11\xe0"; my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00"; sub contains_office_macros { my ($entity) = @_; my @parts = $entity->parts(); if (scalar(@parts) > 0) { return 0; } my $is_msoffice_extension = 0; foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) { my $possible = $entity->head->mime_attr($attr_name); $possible = decode_mimewords($possible); if ($possible =~ /\.(doc|docx)$/i) { $is_msoffice_extension = 1; last; } } return 0 unless $is_msoffice_extension; return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path); my $fp; if (!open($fp, '<:raw', $entity->bodyhandle->path)) { return 0; } my $contents; { local $/; $contents = <$fp>; close($fp); } if (index($contents, $marker1) > -1 && according your reference, marker1 must be on location == 0 (start of file) index($contents, $marker2) > -1) { return 1; } return 0; } ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVr2ZqFGgR0+MU/4GAQL8fAf8CbdC+jrh7Kf+6BdTmVm8+r2h7twgYzwm KzYu8RM4RQsHiViaYJIP2/IMs8ur2qJik4f6FYs7IrcZ3uFuYwXpT8ySbYJlEIMC Rz0m8mMmMPdtv8n2mAfZmgJc4mGf1QO6zqiJFEEMo/5iXlFo9auDhxsCJ09aR0X+ NJ8udQa3IXfpTTEZBvuuV2otmAyzozSH9kXUWqPuS7uAumuIlbaVpzbRUdwAk8Kz 4U9VzRM0pPTY8cKqo6J41/SBga08+3lxj5FW+Nj1SSMh3sVSCe0ZNNVSt9gsVJb7 6LS/c6xE3EQm7q9pPazV8HcDeswP7h2unqwwNt+GBO50ocPDT3H/Lg== =88Uy -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Word Macro warning in subject.
Thanks Steffen, I now call the subroutine using if (contains_office_macros($entity))... I made the changes to the sub contains_office_macros below, I hope that these changes are correct. Does the sub contains_office_macros need be called by sub filter_multipart only or does it need to be called by the sub filter as well? sub filter_multipart { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work if (contains_office_macros($entity)) { action_notify_administrator("An attachment of type $type, sent by $Sender for $Recip named $fname contains macros.\n"); my $subject = $entity->head->get('Subject',0); action_change_header('Subject', "[Warning Attachment $fname contains macros (possible virus):] $Subject"); } # Block message/partial parts if (lc($type) eq "message/partial") { md_graphdefang_log('message/partial'); action_bounce("MIME type message/partial not accepted here"); return; } return action_accept(); } # These markers were documented at: # http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/ # as of 2015-01-15 # $entity is a MIME::Entity that's the parsed message my $marker1 = "\xd0\xcf\x11\xe0"; my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00"; sub contains_office_macros { my ($entity) = @_; my @parts = $entity->parts(); if (scalar(@parts) > 0) { return 0; } my $is_msoffice_extension = 0; foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) { my $possible = $entity->head->mime_attr($attr_name); $possible = decode_mimewords($possible); if ($possible =~ /\.(doc|docx)$/i) { $is_msoffice_extension = 1; last; } } return 0 unless $is_msoffice_extension; return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path); my $fp; if (!open($fp, '<:raw', $entity->bodyhandle->path)) { return 0; } my $contents; { local $/; $contents = <$fp>; close($fp); } if (index($contents, $marker1) > -1 && index($contents, $marker2) > -1) { return 1; } return 0; } ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Word Macro warning in subject.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 9 Feb 2016, System Operations wrote: Hmm, do you use SpamAssassin. I thought one could add search strings to ClamAV as well, but cannot find any pointers in the internet. Slave 1 stderr: Can't call method "parts" on an undefined value at /etc/mail/mimedefang-filter There is no line number? sub filter { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work if (contains_office_macros) { ^^ missing ($entity) like many procedural languages you need to pass argumenents in ()'s action_notify_administrator("An attachment of type $type, sent by $Sender for $Recip named $fname contains macros.\n"); my $subject = $entity->head->get('Subject',0); action_change_header('Subject', "[Warning Attachment $fname contains macros (possible virus):] $Subject"); } return action_accept(); } sub filter_multipart { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work if (contains_office_macros) { action_notify_administrator("An attachment of type $type, sent by $Sender for $Recip named $fname contains macros.\n"); my $subject = $entity->head->get('Subject',0); action_change_header('Subject', "[Warning Attachment $fname contains macros (possible virus):] $Subject"); } return action_accept(); } == # These markers were documented at: #http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/ # as of 2015-01-15 # $entity is a MIME::Entity that's the parsed message my $marker1 = "\xd0\xcf\x11\xe0"; my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00"; sub contains_office_macros { my ($self, $entity) = @_; ^^ remove $self, there is just one argument, also remove any $self-> from the code below. my @parts = $entity->parts(); if (scalar(@parts) > 0) { foreach my $part (@parts) { if ($self->contains_office_macros($part)) { return 1; } } return 0; } my $is_msoffice_extension = 0; foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) { my $possible = $entity->head->mime_attr($attr_name); $possible = decode_mimewords($possible); if ($possible =~ /\.(doc|docx)$/i) { $is_msoffice_extension = 1; last; } } return 0 unless $is_msoffice_extension; return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path); my $fp; if (!open($fp, '<:raw', $entity->bodyhandle->path)) { return 0; } my $contents; { local $/; $contents = <$fp>; close($fp); } this code pulls the whole part into memory. if (index($contents, $marker1) > -1 && index($contents, $marker2) > -1) { return 1; } return 0; } - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVrxL0lGgR0+MU/4GAQJsGggAjsFY1BY0d7I8d8DWOhxYOzUMKH267Wdz d4rAmWFKYenM8ucDBFAxS1cqh+t30jdn+bz5EyEW31tHqDLyzLOHOGCsfOBis4Vr uUTfQ08Tl80eQCbK97hlUN8C1FvJf9ONJZf2wcBKy+T7hrQ+7zjUqaZhnpDHLZba 79A/M9iXll5PLcQJPSV6YgL3lDOfYzuIlP7V6Iq8dyFVzdoqlxjkuww6SjPBHpA9 /sfeMSbYsCPGWu+LxSMeieAUF3UbaOIpSe/cgMutJEPle7XPV9THX8oMcDQucazo AaEhxArOEDgTAmR/A1ZNaeKehZwlMWYMS13bGb6ntjvhcEUWVs1gTg== =36Gx -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Word Macro warning in subject.
2 different AV scanners dont pick word macro virus. I am not a perl coder and am trying to get the code below working Any help with this would be appreciated. Thanks Slave 1 stderr: Can't call method "parts" on an undefined value at /etc/mail/mimedefang-filter sub filter { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work if (contains_office_macros) { action_notify_administrator("An attachment of type $type, sent by $Sender for $Recip named $fname contains macros.\n"); my $subject = $entity->head->get('Subject',0); action_change_header('Subject', "[Warning Attachment $fname contains macros (possible virus):] $Subject"); } return action_accept(); } sub filter_multipart { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work if (contains_office_macros) { action_notify_administrator("An attachment of type $type, sent by $Sender for $Recip named $fname contains macros.\n"); my $subject = $entity->head->get('Subject',0); action_change_header('Subject', "[Warning Attachment $fname contains macros (possible virus):] $Subject"); } return action_accept(); } == # These markers were documented at: #http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/ # as of 2015-01-15 # $entity is a MIME::Entity that's the parsed message my $marker1 = "\xd0\xcf\x11\xe0"; my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00"; sub contains_office_macros { my ($self, $entity) = @_; my @parts = $entity->parts(); if (scalar(@parts) > 0) { foreach my $part (@parts) { if ($self->contains_office_macros($part)) { return 1; } } return 0; } my $is_msoffice_extension = 0; foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) { my $possible = $entity->head->mime_attr($attr_name); $possible = decode_mimewords($possible); if ($possible =~ /\.(doc|docx)$/i) { $is_msoffice_extension = 1; last; } } return 0 unless $is_msoffice_extension; return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path); my $fp; if (!open($fp, '<:raw', $entity->bodyhandle->path)) { return 0; } my $contents; { local $/; $contents = <$fp>; close($fp); } if (index($contents, $marker1) > -1 && index($contents, $marker2) > -1) { return 1; } return 0; } ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang