You need to train your junk filter. http://kb.mozillazine.org/Junk_Mail_Controls

Junk filter controls do not have any options for "attachments with macros" as far as I can see.

How do you know an attachment contains a macro?

You know the attachment contains a macro because if you open the attachment, the word processor tells you something like "Contains macros, macros inhibited. Do you want to enable macros?" If the work processor knows there are macros in the attachment, surely Thunderbird can also check?

One problem is that formats like DOC are binary and require an external reader to parse through, possibly with license fees due to Microsoft. The DOCX format is a ZIP file, so that might be more "open" to examination by an unlicensed tool. Either way, it seems unlikely that Mozilla will try to build it. Someone probably could create an add-on for that.

But more importantly, do not open any attachments from unknown senders or known senders that do not normally send you that kind of attachment. Many security vulnerabilities discovered in Office applications and Adobe Reader/Acrobat over the years were triggered merely by opening the document, even without allowing macros or scripts to run.

IMHO, checking for possibly hostile content is a job for your AV and anti-malware programs, not the email client. Word and other Office components already do a fair job of warning about downloaded files and automation (e.g. macros) within them

Don't shoot the messenger.

Only a very few of the span attachments I am receiving have docx attachments they are all doc or xls.

You might say that it is my job to check that the attachments have hostile content. My answer is that Thunderbird has a spam checker which is not catching enough spam - therefore it is failing. If it could check that attachments had macros, it would do a better job. It is catching less than 10% of the spam am I am receiving. I am suggesting a way of making it better. And no one seems to agree with me?

Hi wrectangle, it's not a bad idea to consider document content in binary attachments when filtering messages, it's just very unlikely for Mozilla or volunteer contributors to take it on in Thunderbird.

It is catching less than 10% of the spam am I am receiving.

To begin with, you could follow the suggestion already given. https://support.mozilla.org/en-US/questions/1112742#answer-851295

To begin with, you could follow the suggestion already given. https://support.mozilla.org/en-US/questions/1112742#answer-851295"

Did you not read my response to that point?

Lest me explain this is simple terms as I am getting absolutely nowhere on this and getting a very negative response.

Like many people i buy things on the Internet. I often get emails with invoices or other attachments. The spammers are designing their messages to look exactly like one I would get from a legitimate source. If I train the spam filter to filter out these messages, I get a mixture of genuine ands spam messages in the spam buffer. The only differentiator I can see is that the spam has macros in the attachments.

jscher2000 tells me that it is unlikely that Mozilla or volunteers would take this task on. I have used Thunderbird for a decade and have been very loyal to it.

Regretfully, it is now time for me to look for an alternative as in my view the spam filter is not worth its name and does not do its job.

Yes, please do look for an email client with this feature and let us know what you find.

My search turned up some interesting offerings but they look expensive:

• Sophos - block attachments containing VBA: https://nakedsecurity.sophos.com/2015/09/28/why-word-macro-malware-is-back-and-what-you-can-do-about-it/
• OPSWAT - strip VBA from documents: https://www.opswat.com/blog/how-stop-macro-based-malware-its-tracks
• Websense ThreatSeeker - block potentially malicious macros: http://www.websense.com/content/support/library/email/hosted/admin_guide/av_per_user.aspx
• Cisco IronPort - create inspection rules to delete messages that have office document attachments with macros: https://supportforums.cisco.com/discussion/12925121/block-office-documents-containing-macros

And surprisingly some major vendors do not have it yet:

• Barracuda, according to this thread: https://community.barracudanetworks.com/forum/index.php?/topic/26755-blocking-docdocx-with-macros/

• Microsoft Exchange Online, according to this thread: https://community.office365.com/en-us/f/158/t/413882

It's a fascinating area for research.

Thanks jscher2000, an excellent response.

I have not found any freeware yet that includes a block on attachments with macros but will certainly let you know if I do.

I would really like to carry on using Thunderbird and am trying to encourage Mozilla to update their product by this thread.

Yes your getting a negative response. That would be for a number of reasons which you apparently are not prepared to accept.

1. Thunderbird has no idea what is in the content of a Microsoft

Office document. As a mail client there is absolutely no need to understand proprietary attachments formats. That is something handled by the helper application (word or excel in your case. In my case I do not have those products.

1. The existence or not of a macro is not of value in determining if a message is spam. In fact almost all the Microsoft Office documents I ever email contain a macro. Perhaps because that is why I am emailing them, I have been retained to wrote a macro and the email is the deliverable. I would be royally upset to find my email in the junk, just because I was doing what I was asked to do.

Your welcome to use another mail client, I wish you luck in locating one that uses a criterion I have never heard mentioned before to determine spaminess. What you will find is mail clients with a spam filter are rare. Ones that meet your fine grained definition of spam will be I think Zero.

wrectangle said

You know the attachment contains a macro because if you open the attachment, the word processor tells you something like "Contains macros, macros inhibited. Do you want to enable macros?" If the work processor knows there are macros in the attachment, surely Thunderbird can also check?

Most certainly not. See my comments earlier. To put this in terms that are simple and concise. We are not dealing with a single file format here. There are lots of office file formats used over the years that Microsoft Office can open by default. Not to mentions file formats used by other programs. Each of those formats are covered by intellectual property issues like patents. For someone to write a program to do what you want for just DOC files would probably cost something in the order of $100,000 or more. They would have to read and understand the 500 plus page definition of the word DOC file format. Check for licensing issues and them write a program that reads the file format, determines if it is password protected, asks for the password if appropriate, decrypts the file then looks for macro structures and to see if they are enabled. ANti virus programs tend to have this ability as folk have been sending malicious emails with macros for decades. But for a spam filter. It is overkill.

Here have a look at the word document format

http://download.microsoft.com/download/2/4/8/24862317-78F0-4C4B-B355-C7B2C1D997DB/[MS-DOC].pdf 

Perhaps with that understanding of the complexity of what you ask you might also understand why your simply being told... unlikely. For that sort of investment I think users would want an improved editor or an improved address book. Not a tick box that allows them to make legitimate emails spam because their attachment contains a macro.

If this is for your own domain, you might want to consider a cloud-based email security service. Mail will be pre-cleaned before it even reaches Thunderbird and you'll have a web-based quarantine you can check. These services often require much less training than you would expect because they have been learning on the mail of other customers for years.

Examples: https://community.spiceworks.com/cloud/anti-spam/reviews

As for which ones also read the internals of attachments, that would take some time to figure out.

To jscher2000, interesting. But most of my spam problem is with attachments which the cloud does not (I think) deal with.

With regard to Matt's response..... If all of your documents have a macro in them, you inhabit different world to me. My home computer does not have macros in documents enabled, I have never enabled it and have no intention of enabling it. And yet the spam I receive have macros in them. I said right at the start that I request this as an option which you can disable or enable according to user preference. Your view that because you use macros no one else does is totally false and incorrect.

Thank you for the link to the MS word format. I don't know if you bothered to look at it? Here is a quote from it... 2.1.9 Macros Storage The Macros storage is an optional storage that contains the macros for the file. If present, it MUST be a Project Root Storage as defined in [MS-OVBA] section 2.2.1.

So the section of the word document that contains macros is a completely separate part of the document. You seem to make the assumption that the entire document must be parsed to detect whether there are macros or not. This is not so (according to this document) - it is an appendage to the file which presumably contains a totally standard VBA header. It sounds to me like this would be rather simple to detect and that the VBA format definition can be found on-line.

So far all I am hearing is "too difficult - don't want to know". I will continue hoping that someone has the sense to do something about this. And from jscher2000's earlier response, there are plenty of other people out there as worried as I am about this.

wrectangle said

To jscher2000, interesting. But most of my spam problem is with attachments which the cloud does not (I think) deal with.

With cloud email security, you change the MX records for your domain so that mail senders deliver it directly to the filtering service and then the filtering service pushes the clean mail through to your "real" mail server after quarantining or rejecting the spam. With spam running over 90% of mail, it's a total sanity saver.

wrectangle said

So the section of the word document that contains macros is a completely separate part of the document. You seem to make the assumption that the entire document must be parsed to detect whether there are macros or not. This is not so (according to this document) - it is an appendage to the file which presumably contains a totally standard VBA header. It sounds to me like this would be rather simple to detect and that the VBA format definition can be found on-line.

Have you ever viewed a DOC or XLS file in a text or hex editor? It is a binary file encoded in a proprietary format with text broken up by control codes. Difficult reading.

I did find a command-line tool that allows you to check for macros in a document. This article describes how security researchers use it: https://isc.sans.edu/diary/OfficeMalScanner+helps+identify+the+source+of+a+compromise/18291

I couldn't figure out how to install it, so wasn't able to test it myself.

Anyway, a Windows command-line executable probably won't integrate into Thunderbird. I don't know whether its author would want to recompile it into a library that could be used by other applications, or whether it would work on all the platforms on which Thunderbird runs.

Maybe you can find something more readily usable (I'm done searching).

Thanks again jscher. I looked online and found this document http://www.decalage.info/vba_tools

Here is a quote from it.... VBA macros are normally contained in a VBA project structure, located in different places depending on the document type:

   Word 97-2003: in a storage called "Macros", at the root of the OLE file.
   Excel 97-2003: in a storage called "_VBA_PROJECT_CUR", at the root of the OLE file.
   PowerPoint 97-2003: VBA macros are stored within the binary structure of the presentation, not in an OLE storage.

END QUOTE

The same document states that ... An OLE file can be seen as a mini file system or a Zip archive: It contains streams of data that look like files embedded within the OLE file. Each stream has a name. For example, the main stream of a MS Word document containing its text is named "WordDocument". END QUOTE

Does that mean that if the attachment contains the text Macros or VBA_PROJECT_CUR that you can identify whether the attachment has macros of not? This implies that a simple string search would sort it? I have tried a search on some files that do not contain macros and they do not contain those strings. But I don't have any files with macros to test the reverse.

If this is correct, is there a way to set up Thunderbird to search for these strings and put the offending emails into junk?

I'm having trouble understanding why you even open these documents. Why would a legitimate trader send an invoice as a Word document? That's crazy.

An invoice needs to be a read-only document, something that is hard to edit and falsify. Pdf is the de facto standard for this kind of communication.

If I were to receive a Word document from anyone but a colleague or a trusted supplier or client, it would go straight into Junk. Even if I trusted the sender, I'd open it and refuse to enable any active content until I'd reassured myself of its authenticity.

Macros in spreadsheets are commonplace and usually essential. But in a Word document? Really??

Hi wrectangle, you can create a test document using the macro recorder.

First, you might need to add the Developer section to the ribbon if you don't already display it. Right-click a blank area of the ribbon and choose Customize the Ribbon, then in the list box on the right, check the box for Developer and click OK to save the change.

Create a new document (Ctrl+n).

On the Developer part of the ribbon, click Record Macro. Change the drop-down for "Store macro in" to the new document and click OK. Type some like hello and then click Stop Recording.

Save the document using the old DOC format. Then you can close the document and try reading it in a text editor. You would expect to find Project.NewMacros.Macro1 because we used the default behavior of the macro recorder. The question is whether there is an consistent way to identify macros when someone is intentionally trying to obscure them. Since you get documents containing macros regularly, you could save the attachments out with a .txt extension and use those for research.