On 03/10/16 21:30, John Hardin wrote:
ClamAV is probably the correct approach to macro-based malware, unless we want to do a MS Office document plugin with something like an eval for has_macros().
ClamAV does allow macro detection, but it depends on the MTA glue used whether you can use this feature. With the feedback of Alex I've put together a plugin which detects the presence of a MS Office Macro with a few other bits. Testing shows to be speedy and reliable enough, though seemingly lots of legit emails have Macro attachments but this should help build metas/help detection. https://github.com/fmbla/spamassassin-olemacro - Detects macros - both old and new style - Basic 'malicious' macro detection - Protected (encrypted) document detection Paul -- Paul Stead Systems Engineer Zen Internet