Provided by: spamassassin_3.4.6-1ubuntu0.22.04.1_all 
NAME
Mail::SpamAssassin::Plugin::OLEVBMacro - search attached documents for evidence of containing an OLE
Macro
SYNOPSIS
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
body OLEMACRO eval:check_olemacro()
describe OLEMACRO Attachment has an Office Macro
body OLEMACRO_MALICE eval:check_olemacro_malice()
describe OLEMACRO_MALICE Potentially malicious Office Macro
body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
body OLEMACRO_RENAME eval:check_olemacro_renamed()
describe OLEMACRO_RENAME Has an Office doc that has been renamed
body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
body OLEMACRO_CSV eval:check_olemacro_csv()
describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected
body OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
endif
DESCRIPTION
This plugin detects OLE Macro inside documents attached to emails. It can detect documents inside zip
files as well as encrypted documents.
REQUIREMENT
This plugin requires Archive::Zip and IO::String perl modules.
USER PREFERENCES
The following options can be used in both site-wide ("local.cf") and user-specific ("user_prefs")
configuration files to customize how the module handles attached documents
olemacro_num_mime (default: 5)
Configure the maximum number of matching MIME parts the plugin will scan
olemacro_num_zip (default: 8)
Configure the maximum number of matching zip members the plugin will scan
olemacro_zip_depth (default: 2)
Depth to recurse within Zip files
olemacro_extended_scan ( 0 | 1 ) (default: 0)
Scan more files for potential macros, the "olemacro_skip_exts" parameter will still be honored. This
parameter is off by default, this option is needed only to run "eval:check_olemacro_renamed" rule.
If this is turned on consider adjusting values for "olemacro_num_mime" and "olemacro_num_zip" and
prepare for more CPU overhead
olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
Choose if the content-disposition header filename be preferred if ambiguity is encountered whilst
trying to get filename
olemacro_max_file (default: 1024000)
Configure the largest file that the plugin will decode from the MIME objects
olemacro_exts (default: (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
Set the case-insensitive regexp used to configure the extensions the plugin targets for macro
scanning
olemacro_macro_exts (default:
(?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a
macro
olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these
should only be guaranteed macro free files
olemacro_skip_ctypes (default: ^(?:text\/))
Set the case-insensitive regexp used to configure content types for the plugin to skip entirely,
these should only be guaranteed macro free
olemacro_zips (default: (?:zip)$)
Set the case-insensitive regexp used to configure extensions for the plugin to target as zip files,
files listed in configs above are also tested for zip
perl v5.34.0 2023-03-23 Mail::SpamAssas...gin::OLEVBMacro(3pm)