[Rspamd-Users] Rspamd and oletools/olefy

Thomas Plant thomas at plant.systems
Fri Jun 28 13:31:57 UTC 2019 

Hello all,

I'm trying to configure rspamd with oletools, but do not get any symbol
in the results of rspamd.
The debug output of 'external_services' says that it found a macro:

2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
common.lua:286: oletools: extension matched: doc
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
oletools.lua:151: oletools: filename: /tmp/1561727802.010034.43738
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
oletools.lua:153: oletools: type: OLE
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
oletools.lua:157: oletools: macros found - code: , ole_stream:
Macros/VBA/ThisDocument, vba_filename: ThisDocument.cls
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
oletools.lua:157: oletools: macros found - code: , ole_stream:
Macros/VBA/NewMacros, vba_filename: NewMacros.bas
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
oletools.lua:164: oletools: threat found - type: AutoExec, keyword:
AutoOpen, description: Runs when the Word document is opened
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
common.lua:38: oletools: Scanned Macro is OK
2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
common.lua:186: oletools: saved cached result for
rs_oletools_923ec07f9eb20f45ba2be24ce78f3d29c549d2a823de5fdee21417745b7f14518910f37b71f41964e2401250e72a8eeb5d0383722f1cf331949f62123fa0b546:
OK - score 1

But there is no OLETOOLS symbol set in the mailheaders.

local.d/external_services.conf looks the following (is the default
example in the docs):

oletools {
  # default olefy settings
  servers = "127.0.0.1:10050"

  # needs to be set explicitly for Rspamd < 1.9.5
  scan_mime_parts = true;

  # mime-part regex matching in content-type or filename
  mime_parts_filter_regex {
    #UNKNOWN = "application\/octet-stream";
    DOC2 = "application\/msword";
    DOC3 = "application\/vnd\.ms-word.*";
    XLS = "application\/vnd\.ms-excel.*";
    PPT = "application\/vnd\.ms-powerpoint.*";
    GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
  }
  # mime-part filename extension matching (no regex)
  mime_parts_filter_ext {
    doc = "doc";
    dot = "dot";
    docx = "docx";
    dotx = "dotx";
    docm = "docm";
    dotm = "dotm";
    xls = "xls";
    xlt = "xlt";
    xla = "xla";
    xlsx = "xlsx";
    xltx = "xltx";
    xlsm = "xlsm";
    xltm = "xltm";
    xlam = "xlam";
    xlsb = "xlsb";
    ppt = "ppt";
    pot = "pot";
    pps = "pps";
    ppa = "ppa";
    pptx = "pptx";
    potx = "potx";
    ppsx = "ppsx";
    ppam = "ppam";
    pptm = "pptm";
    potm = "potm";
    ppsm = "ppsm";
  }
}

local.d/external_services_group.conf:

symbols {
        "OLETOOLS" {
        weight = 1.0;
        description = "OLETOOLS found a Macro";
        one_shot = false;
        }
}

But still no symbol seen in the headers or rspamd.log.

Regards,
Thomas

More information about the Users mailing list