[SOLVED] How to add SpamAssassin score for encrypted xls files

C

Cristian Seres

Member
Dec 23, 2021
4
3
8
47
Hi!
I am using a clustered Mail Gateway 7.1-1. We have several users in different domains and can not block all encrypted Office documents by default, but currently lots of spam get through the gateway without getting a spam tag. They have an xls attachment with a password.

What steps would be required to get encrypted office files tagged so that I could at least mark them as spam? I believe a score line "KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted" in /usr/share/spamassassin-extra/KAM.cf should already have the required functionality, however even after I installed a missing libio-string-perl and added a line
Code: 
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
in /etc/mail/spamassassin/custom.cf
the incoming encrypted xls did not seem to trigger SpamAssassin scores for encrypted Office documents. There was neither KAM_OLEMACRO_ENCRYPTED nor OLEMACRO_ENCRYPTED in a received message and it got a SA score 0.

Spamassassin lint shows the following lines so I assume the module is loaded OK:
Code: 
dbg: plugin: loading Mail::SpamAssassin::Plugin::OLEVBMacro from @INC
dbg: config: using "/usr/share/spamassassin-extra/KAM.cf" for included file
 
In theory these files should get discovered by clamav as Heuristic - Usually it works to set a high Heuristic score in GUI->Configuration->Spam Detector-> Options, and activate 'Block encrypted archives and documents' in GUI->Configuration->Virus Detector-> Options

(of course you also need a rule in the rule-system to put mails with a high score in quarantine.

If this does not work please provide the logs of such a mail

I hope this helps!
 
Thank you!
Based on the name of the setting 'Block encrypted archives and documents' I assumed it would block them, but now I know it only increases the spam score with the amount of 'Heuristic score setting' in another menu and I can tune it to get them in quarantine. I am now testing this combination.

Perhaps renaming the setting would make its function a bit more clear.
 
Cristian Seres said:
Perhaps renaming the setting would make its function a bit more clear.
Click to expand...
We did consider renaming it at some point - the upside of the current names is that it reflects rather directly what is happening to the individual components - the one setting simply enables `AlertEncrypted` in the clamd config and the other one simply adds a SpamAssassin hit on any mail which triggers a Heuristic hit by clamav.

I hope this explains it
 
You must log in or register to reply here.
Top Bottom