[Mimedefang] Word Macro warning in subject.

System Operations sysop at citytoyota.net.au
Thu Feb 11 22:35:44 EST 2016 

Thanks Steffen,

I now call the subroutine using if (contains_office_macros($entity))...
I made the changes to the  sub contains_office_macros  below, I hope 
that these changes are correct.
Does the sub contains_office_macros need be called by sub 
filter_multipart only or
does it need to be called by the sub filter as well?


sub filter_multipart {
     my($entity, $fname, $ext, $type) = @_;

     return if message_rejected(); # Avoid unnecessary work

    if (contains_office_macros($entity)) {
       action_notify_administrator("An attachment of type $type, sent by 
$Sender for $Recip named $fname contains macros.\n");
       my $subject = $entity->head->get('Subject',0);
       action_change_header('Subject', "[Warning Attachment $fname 
contains macros (possible virus):] $Subject");
     }

     # Block message/partial parts
     if (lc($type) eq "message/partial") {
         md_graphdefang_log('message/partial');
     action_bounce("MIME type message/partial not accepted here");
     return;
     }

     return action_accept();
}


# These markers were documented at:
# 
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message

my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";

sub contains_office_macros
{
     my ($entity) = @_;
     my @parts = $entity->parts();
     if (scalar(@parts) > 0) {
         return 0;
     }
     my $is_msoffice_extension = 0;
     foreach my $attr_name (qw( Content-Disposition.filename 
Content-Type.name) ) {
         my $possible = $entity->head->mime_attr($attr_name);
         $possible = decode_mimewords($possible);
         if ($possible =~ /\.(doc|docx)$/i) {
             $is_msoffice_extension = 1;
             last;
         }
     }
     return 0 unless $is_msoffice_extension;
     return 0 unless defined($entity->bodyhandle) && 
defined($entity->bodyhandle->path);
     my $fp;
     if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
         return 0;
     }
     my $contents;
     {
         local $/;
         $contents = <$fp>;
         close($fp);
     }
     if (index($contents, $marker1) > -1 &&
         index($contents, $marker2) > -1) {
         return 1;
     }
     return 0;
}

More information about the MIMEDefang mailing list