Changelog 3.6.1:
- Fix for tmp filehandle error
- Add new config option for dumping the mail body for forensics
Changelog 3.6:
- fixing multiple issues and bugs (#41 , #38, #37, #35, #31, #30)
- Add MIME header for the different stages.
- The hash db is updated to SHA256 instead of MD5. Old MD5 hashes still supported.
I need some code review and help to make this milter better! If you find some bugs or the code is "creepy" -> feel free to contribute :) To contribute, please fork this repository and make pull requests to the master or testing branch.
This python based milter for the Sendmail and Postfix e-mail servers (mail-filter) checks an incoming mail for MS 20xx Office attachments. If a MS Office file is attached to the mail it will be scanned for suspicious VBA macro code. Documents with malicious macros are removed and replaced by harmless text files or will be rejected to the sender (see config.ini).
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)
- Word 2003 XML (.xml)
- Word/Excel Single File Web Page / MHTML (.mht)
- Publisher (.pub)
Paper (german only) -> download link
Video / Talk (german only) -> HdM-events
Chemnitzer Linux Tage 2018 - Talk -> CLT2018
The repo is optimized for Visual Studio
- Parsing VBA macros for suspicious code and function calls
- Uses the milter interface at postfix and sendmail
- Easy to implement
- Not based on virus heuristics (high detection rate)
- Whitelisting
- Creates a hashtable for already scanned files (prevents rescans)
- Runs at the pre-queue at postfix
This milter use the functionality from the oletools (https://bitbucket.org/decalage/oletools) and pymilter (https://pythonhosted.org/milter/) projects.
Download the "install_ubuntu.sh" script from the repo - install_ubuntu.sh. It creates and downloads all required files and packages. Please use for Ubunut 14.10 and higher the "old" systemd script part! For 14.0x and older please use the upstart part!
dnf install macromilter
systemctl enable --now macromilter.service
postconf -e smtpd_milters=inet:127.0.0.1:3690 milter_default_action=accept
systemctl reload postfix.service
yum install epel-release # Only if EPEL is not already enabled
yum install macromilter
systemctl enable --now macromilter.service
postconf -e smtpd_milters=inet:127.0.0.1:3690 milter_default_action=accept
systemctl reload postfix.service
To allow a user or whole domain to send false-positive VAB-Macro-Mails, enter only the user mail address (xyz@domain.com) or the domain (@domain.com). See config.ini for more details.
To allow only a special and wellknown macro code, add the SHA256 hash to the Macrohash part in the configuration file.
You will find the raw macro hash in the macromilter log file INFO [ID] The macro hash is: <the sha256 value>
. Please use only this one! Keep in mind, that the file hash has also to be deleted form the "hashdatabse".
- Config-File error handling
- HTML-Dashboard
- Setup-package for pip
Stephan Traub - Sbidy -> https://github.com/sbidy
Robert Scheck - robert-scheck -> https://www.robert-scheck.de/
Philippe Lagadec https://github.com/decalage2 - oletools
Stuart D. Gathman https://github.com/sdgathman - pymilter
The MIT License (MIT)