Scan MS Office files for bad macros

filippocarletti commented 4 years ago

Using oletools (http://www.decalage.info/python/oletools) we could scan MS Office files looking for suspicious macros and block malicious emails.

We need:

oletools with olefy
rspamd config (see https://rspamd.com/doc/modules/external_services.html#oletools-specific-details)
rspamd score to refuse emails
a configuration db option (enabled by default)
(optional) web UI options

DavidePrincipi commented 4 years ago

We have the olefy package sources here: https://github.com/NethServer/olefy
I asked to mention the RPM availability here: https://github.com/HeinleinSupport/olefy/pull/8
Just for fun (and for aarch64 builds) I configured a Copr build here: https://copr.fedorainfracloud.org/coprs/davidep/olefy/

nethbot commented 4 years ago

in 7.7.1908/testing:

olefy-0.0.0-1.15.g196755c.ns7.x86_64.rpm x86_64

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-mail-common-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.8.3-1.7.g09c2d7a.ns7.noarch.rpm x86_64 armhfp aarch64

stephdl commented 4 years ago

QA

Install from testing the mail filter and olefy
test if the email with/without attachment are still workable
test if with suspicious macro the email is rejected with a specific smtp message

filippocarletti commented 4 years ago

Sender SMTP refusal message: 554 5.7.1 Rejected suspicious office document macro

Destination system maillog:

Oct 30 11:32:20 mail rspamd[14718]: <c01275>; lua; common.lua:102: oletools: result - office macrofound: "AutoExec + Suspicious (autoopen,Open,system,ShowWindow,CreateObject) - score: 1"
Oct 30 11:32:20 mail rspamd[14718]: <c01275>; proxy; rspamd_add_passthrough_result: <20191002151742.309027F05E@mhssub101.bizmail.nifty.com>: set pre-result to 'reject' (no score): 'Rejected suspicious office document macro' from oletools(1)

rspamd symbol: OLETOOLS

nethbot commented 4 years ago

in 7.7.1908/testing:

olefy-0.0.0-1.16.g42a51d2.ns7.x86_64.rpm x86_64

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-mail-common-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.8.3-1.8.ga059437.ns7.noarch.rpm x86_64 armhfp aarch64

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-mail-common-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.8.3-1.9.g4bd53d0.ns7.noarch.rpm x86_64 armhfp aarch64

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-mail-common-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.8.3-1.10.gfdebf8c.ns7.noarch.rpm x86_64 armhfp aarch64

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-mail-common-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.9.0-1.12.g19c8dda.ns7.noarch.rpm x86_64 armhfp aarch64

nethbot commented 4 years ago

in 7.7.1908/updates:

olefy-1.0.0-1.ns7.x86_64.rpm x86_64

nethbot commented 4 years ago

in 7.7.1908/updates:

nethserver-mail-common-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-disclaimer-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-filter-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-getmail-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-ipaccess-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-p3scan-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-quarantine-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-server-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64
nethserver-mail-smarthost-2.9.0-1.ns7.noarch.rpm x86_64 armhfp aarch64

NethServer / dev

Scan MS Office files for bad macros #5891