Block macros document in proxmos email gateway

sanojs

Member
Sep 13, 2019
44
1
13
35
Hello,

Can you provide the steps to block the macros document in the proxmos email gateway.

Regards,
sanoj
 
hi,

you can edit /etc/clamav/clamd.conf and add: OLE2BlockMacros true


keep in mind, i think your goal is to block malicious word macros - but this will mark document as malicious if it detects a macro.


this is already enabled in PMG by default. ScanOLE2 option

have you tested it?

you can configure a heuristic score and configure the rules to do an action of your choosing (like block)
 
Last edited:
Hi Team,

Can we recover the macros blocked emails if we enabled this option. also please provide the steps to recover the macros email.


Thanks,
 
I have done the OLE2BlockMacros true option and restart the clamav services, but the mail are not blocking in the proxmos but the log shows it detect macros. Kindly help us to block the macros in the proxmos email gateway.


++++++++++++++++++
Sep 14 10:57:12 mailgateway postfix/smtpd[9770]: connect from unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/smtpd[9770]: 75B5FC1246: client=unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/cleanup[12301]: 75B5FC1246: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:14 mailgateway postfix/smtpd[9770]: disconnect from unknown[192.168.3.201] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 14 10:57:14 mailgateway postfix/qmgr[708]: 75B5FC1246: from=<dhinil@abcd.com>, size=71000, nrcpt=1 (queue active)
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: new mail message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: virus detected: Heuristics.OLE2.ContainsMacros (clamav)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: SA score=1/5 time=7.523 bayes=0 autolearn=ham autolearn_force=no hits=ClamAVHeuristics(3),AWL(0.210),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_IMAGE_ONLY_32(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),URIBL_BLOCKED(0.001)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: connect from localhost.localdomain[127.0.0.1]
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: 5BC8CC125C: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.3.201]
Sep 14 10:57:58 mailgateway postfix/cleanup[12650]: 5BC8CC125C: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: from=<dhinil@abcd.com>, size=72381, nrcpt=1 (queue active)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: accept mail to <dhanesh.k@xyx.com> (5BC8CC125C)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: processing time: 8.24 seconds (7.523, 0.243, 0)
Sep 14 10:57:58 mailgateway postfix/lmtp[11592]: 75B5FC1246: to=<dhanesh.k@xyx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=45, delays=0.9/36/0.05/8.3, dsn=2.5.0, status=sent (250 2.5.0 OK (C121F5F5F146E3BB30))
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 75B5FC1246: removed
Sep 14 10:57:58 mailgateway postfix/smtp[11378]: 5BC8CC125C: to=<dhanesh.k@xyx.com>, relay=192.168.3.201[192.168.3.201]:25, delay=0.29, delays=0.12/0/0.04/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0DA6B1096015E)
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: removed


++++++++++++++++++
 
services, but the mail are not blocking in the proxmos but the log shows it detect macros. Kindly help us to block the macros in the proxmos email gateway.
documents with OLE macros are detected by ClamAV as heuristics - and these Heuristic matches are treated as SpamHits in PMG - you can configure how many points they receive in GUI->Configuration->SpamDetector->Heuristic Score.

Turn the score to something higher and adapt your rule system to block or quarantine such mail.

else:
hits=ClamAVHeuristics(3),AWL(0.210),BAYES_00(-1.9)...,URIBL_BLOCKED(0.001)

this mail got -1.9 point from your activated bayes filter - if it was indeed a spammail - I would suggest to disable bayes filtering since it changes the result in the wrong direction.

URIBL_BLOCKED indicates that the DNS server configured on your PMG is over quota - consider setting up a resolving nameserver on PMG:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!