CentOS - Oct 2015 - Detecting empty office doc containing virus macro

On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> On 28/10/15 11:55, Gary Stainburn wrote:
> > We are receiving LOTS of emails that contain empty XLS or DOC
documents
> > with embedded virus macros.  These are getting past SPAMASSASSIN,
Clamav
> > and Kaspersky.
> >
> > I'm trying to write a filter for EXIM to block these emails but I
need to
> > know a good, quick, command-line to detect an empty doc with a macro.
> >
> > Is there anything available that I can use??
> >
> > I have managed to write a PERL script to detect empty xls xlsx, doc
and
> > docx files but I cannot detect whether they have any macros embedded
> >
> > Gary
>
> If you've got a script to detect empty docs then it should be
relatively
> easy to detect these. I assume empty attachments are not normal in your
> mail flows?
>
I have come to the conculsiion that I am just going to have to stick with 
detecting empty documents and forget the macro checks.
> I would look to write some custom SpamAssassin rules, maybe
> incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how 
to do this. All I have done in the past is add small pattern matching rules 
to local.cf

Another rule I would like to add to Spamassassin is to catch emails where the 
subject starts with the email local part in brackets as we get a LOT of those 
too.
>
> Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc
http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc

On 29/10/15 10:51, Gary Stainburn wrote:
> On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
>> On 28/10/15 11:55, Gary Stainburn wrote:
>>> We are receiving LOTS of emails that contain empty XLS or DOC
documents
>>> with embedded virus macros.  These are getting past SPAMASSASSIN,
Clamav
>>> and Kaspersky.
>>>
>>> I'm trying to write a filter for EXIM to block these emails but
I need to
>>> know a good, quick, command-line to detect an empty doc with a
macro.
>>>
>>> Is there anything available that I can use??
>>>
>>> I have managed to write a PERL script to detect empty xls xlsx, doc
and
>>> docx files but I cannot detect whether they have any macros
embedded
>>>
>>> Gary
>>
>> If you've got a script to detect empty docs then it should be
relatively
>> easy to detect these. I assume empty attachments are not normal in your
>> mail flows?
>>
> 
> I have come to the conculsiion that I am just going to have to stick with 
> detecting empty documents and forget the macro checks.
> 
>> I would look to write some custom SpamAssassin rules, maybe
>> incorporating your script, to detect these and filter them out.
> 
> I would love to be able to write custom Spamassassin rules but do not know
how
> to do this. All I have done in the past is add small pattern matching rules
> to local.cf
> 
That's a great place to start. Combining multiple simple rules in a meta
rule is also a great way to detect many spams. If you can find 3 or 4
factors specific to these spam (the more unique the better), combining
them usually gives excellent results. For example, they all contain a
doc,docx,xls,xlsx attachment, they all contain a specific phrase or
something unique in the Subject, maybe they all contain a URL or email
address in the body etc. Individually the rules might not be
particularly good indicators of spam, but when combined together they
may become highly effective.

This might not be the best forum to discuss in detail; the SpamAssassin
mailing list is a great place to get help with writing rules.
> Another rule I would like to add to Spamassassin is to catch emails where
the
> subject starts with the email local part in brackets as we get a LOT of
those
> too.
> 
>>
>> Are you able to post some examples to pastebin?
> 
> http://www.stainburn.com/virus_files/I0000040777.doc
> http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
Sorry, I meant examples of the emails (including the full headers,
redacted where necessary), not the attachments. We might be able to
point you in the right direction or offer a few thoughts on how to
detect them in SpamAssassin.

On Thu, 2015-10-29 at 20:37 +0000, Ned Slider wrote:
> Combining multiple simple rules in a meta
> rule is also a great way to detect many spams. If you can find 3 or 4
> factors specific to these spam (the more unique the better), combining
> them usually gives excellent results.
Yep. 

In Exim I score 1 for sending IP address having no reverse DNS
 (IP > Name > the same IP address)
I score 1 for HELO/EHLO not resolving to the sending IP address
I score 1 for a non-existent email address

3 = IP blocked for several months ***before*** downloading the email's
body.

2 = Gets connection rejected ***before*** downloading the email's body.

+++

Never accept email from home user's domain names like (here is just a
few)


*airtelbroadband.in
*adsl.alicedsl.de
*dynamic.se.alltele.net
*alshamil.net.ae
*adsl.anteldata.net.uy
*aphie.info
*pools.arcor-ip.net
*static.arcor-ip.net
*as9105.com
*as13285.net
*as43234.net

Don't be an idle victim of mail abuse. Fight back hard.


-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
> On 29/10/15 10:51, Gary Stainburn wrote:
> > On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> >> On 28/10/15 11:55, Gary Stainburn wrote:
> >>> We are receiving LOTS of emails that contain empty XLS or DOC
documents
> >>> with embedded virus macros.  These are getting past
SPAMASSASSIN,
> >>> Clamav and Kaspersky.
> >>>
> >>> I'm trying to write a filter for EXIM to block these
emails but I need
> >>> to know a good, quick, command-line to detect an empty doc
with a
> >>> macro.
> >>>
> >>> Is there anything available that I can use??
> >>>
> >>> I have managed to write a PERL script to detect empty xls
xlsx, doc and
> >>> docx files but I cannot detect whether they have any macros
embedded
> >>>
> >>> Gary
> >>
> >> If you've got a script to detect empty docs then it should be
relatively
> >> easy to detect these. I assume empty attachments are not normal in
your
> >> mail flows?
> >
> > I have come to the conculsiion that I am just going to have to stick
with
> > detecting empty documents and forget the macro checks.
> >
> >> I would look to write some custom SpamAssassin rules, maybe
> >> incorporating your script, to detect these and filter them out.
> >
> > I would love to be able to write custom Spamassassin rules but do not
> > know how to do this. All I have done in the past is add small pattern
> > matching rules to local.cf
>
> That's a great place to start. Combining multiple simple rules in a
meta
> rule is also a great way to detect many spams. If you can find 3 or 4
> factors specific to these spam (the more unique the better), combining
> them usually gives excellent results. For example, they all contain a
> doc,docx,xls,xlsx attachment, they all contain a specific phrase or
> something unique in the Subject, maybe they all contain a URL or email
> address in the body etc. Individually the rules might not be
> particularly good indicators of spam, but when combined together they
> may become highly effective.
The big problem is that the emails are vastly different in content, and are 
send by distributed computers. That's why I went down the document content 
checking in the first place.  The empty office document is the only obvious 
common factor.
>
> This might not be the best forum to discuss in detail; the SpamAssassin
> mailing list is a great place to get help with writing rules.
>
As I've had to implement a malware = * to call my new script it has given me
the chance to inplement checks that I have never been able to manage in 
Spamassassin.  No doubt they are possible, but I've not managed them.

I now have access to the whole email in PERL and MIME::Parser so can do lots 
of other checking.
> > Another rule I would like to add to Spamassassin is to catch emails
where
> > the subject starts with the email local part in brackets as we get a
LOT
> > of those too.
This is one of the checks I can now do in my perl script.
> >
> >> Are you able to post some examples to pastebin?
> >
> > http://www.stainburn.com/virus_files/I0000040777.doc
> > http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
>
> Sorry, I meant examples of the emails (including the full headers,
> redacted where necessary), not the attachments. We might be able to
> point you in the right direction or offer a few thoughts on how to
> detect them in SpamAssassin.
Unfortunately, I've only got this one as an example. I didn't keep any
of the
previous ones, and hopefully any new ones will never get through.

http://www.stainburn.com/virus_files/Purchase.mbox
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk