[SOLVED] How to add SpamAssassin score for encrypted xls files

C

Cristian Seres

Member
Dec 23, 2021
4
2
8
46
Hi!
I am using a clustered Mail Gateway 7.1-1. We have several users in different domains and can not block all encrypted Office documents by default, but currently lots of spam get through the gateway without getting a spam tag. They have an xls attachment with a password.

What steps would be required to get encrypted office files tagged so that I could at least mark them as spam? I believe a score line "KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted" in /usr/share/spamassassin-extra/KAM.cf should already have the required functionality, however even after I installed a missing libio-string-perl and added a line
Code: 
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
in /etc/mail/spamassassin/custom.cf
the incoming encrypted xls did not seem to trigger SpamAssassin scores for encrypted Office documents. There was neither KAM_OLEMACRO_ENCRYPTED nor OLEMACRO_ENCRYPTED in a received message and it got a SA score 0.

Spamassassin lint shows the following lines so I assume the module is loaded OK:
Code: 
dbg: plugin: loading Mail::SpamAssassin::Plugin::OLEVBMacro from @INC
dbg: config: using "/usr/share/spamassassin-extra/KAM.cf" for included file
 
In theory these files should get discovered by clamav as Heuristic - Usually it works to set a high Heuristic score in GUI->Configuration->Spam Detector-> Options, and activate 'Block encrypted archives and documents' in GUI->Configuration->Virus Detector-> Options

(of course you also need a rule in the rule-system to put mails with a high score in quarantine.

If this does not work please provide the logs of such a mail

I hope this helps!
 
Thank you!
Based on the name of the setting 'Block encrypted archives and documents' I assumed it would block them, but now I know it only increases the spam score with the amount of 'Heuristic score setting' in another menu and I can tune it to get them in quarantine. I am now testing this combination.

Perhaps renaming the setting would make its function a bit more clear.
 
Cristian Seres said:
Perhaps renaming the setting would make its function a bit more clear.
Click to expand...
We did consider renaming it at some point - the upside of the current names is that it reflects rather directly what is happening to the individual components - the one setting simply enables `AlertEncrypted` in the clamd config and the other one simply adds a SpamAssassin hit on any mail which triggers a Heuristic hit by clamav.

I hope this explains it
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back