Official Olefy 0.56 does not block macro virus

[DavidePrincipi]

Some kind of Office files with bad macros are not blocked by Olefy 0.56

Steps to reproduce

I cannot attach original messages, but the spam folder might contain some good examples. As alternative, run the procedure at https://www.heise.de/security/dienste/emailcheck/attachments/test_doc_macro/ to receive one.

Expected behavior

• The message is blocked

Actual behavior

• The message is delivered

Components

nethserver-mail-filter-2.18.0-1.ns7.noarch

[nethbot]

in 7.8.2003/testing:

• olefy-1.2.1-1.1.g4883486.ns7.x86_64.rpm x86_64

[nethbot]

in 7.8.2003/testing:

• nethserver-mail-common-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-disclaimer-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-filter-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-getmail-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-imapsync-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-ipaccess-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-p3scan-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-quarantine-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-server-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-smarthost-2.18.0-1.1.g39b1ff5.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/testing:

• nethserver-mail-common-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-disclaimer-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-filter-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-getmail-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-imapsync-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-ipaccess-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-p3scan-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-quarantine-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-server-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-smarthost-2.18.0-1.2.g9016db8.ns7.noarch.rpm x86_64 armhfp aarch64

[DavidePrincipi]

VERIFIED

Public SMTP service rejects:

Nov  4 12:21:42 host rspamd[7237]: <4c5806>; lua; common.lua:107: oletools: result - office macrofound: "MA------ - score: 1"
Nov  4 12:21:42 host rspamd[7237]: <4c5806>; lua; common.lua:107: oletools: result - office macrofound: "AutoOpen - score: 1"
Nov  4 12:21:42 host rspamd[7237]: <4c5806>; proxy; rspamd_add_passthrough_result: <86181b64d152a9bffe719f375e5e0e72@host.it>: set pre-result to 'reject' (no score): 'Rejected suspicious office document
 macro' from oletools(1)

Authenticated SMTP session accepts the same message instead.

---

Just for the record, to flush the oletools verdicts cache run the following command

redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -- redis-cli -s /var/run/redis-rspamd/rspamd DEL

To check how much seconds before a cache entry is being expunged from the cache (first match only)

 redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -L 1 -- redis-cli -s /var/run/redis-rspamd/rspamd TTL

[nethbot]

in 7.8.2003/updates:

• olefy-1.2.3-1.ns7.x86_64.rpm x86_64

[nethbot]

in 7.8.2003/updates:

• nethserver-mail-common-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-disclaimer-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-filter-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-getmail-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-imapsync-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-ipaccess-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-p3scan-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-quarantine-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-server-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-mail-smarthost-2.18.1-1.ns7.noarch.rpm x86_64 armhfp aarch64