dimitri said "block it"

So let's block any macro with AUTOEXEC
2 years ago · 709023ab5a
parent 3bdc57adbc
commit 709023ab5a
2 changed files with 2 additions and 1 deletions
--- a/core/rspamd/conf/composites.conf
+++ b/core/rspamd/conf/composites.conf
@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR {
    score = 20.0;
 }
 OLETOOLS_MACRO_SUSPICIOUS {
-    expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP";
+    expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_AUTOEXEC";
    message = "Rejected (malicious macro)";
    policy = "leave";
    score = 20.0;
--- a/tests/compose/filters/03_email_macro.sh
+++ b/tests/compose/filters/03_email_macro.sh
@ -4,6 +4,7 @@ python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_w
 if [ $? -ne 25 ]; then
 	exit 1
 fi
+# This does Auto_Open + Alert()
 python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk"
 if [ $? -ne 25 ]; then
 	exit 1