[Rspamd-Users] Regarding Malicious File blocking using hashes in rspamd
Vsevolod Stakhov
vsevolod at rspamd.com
Tue Jul 14 11:51:32 UTC 2020
On 14/07/2020 12:29, Riccardo Alfieri wrote:
> On 14/07/20 12:52, Venkata Ganesh Raju Malyala wrote:
>
>> Hello everyone,
>>
>> Can someone advise blocking malicious files/ attachments in rspamd if we
>> have a set of malicious file hashes.
>>
> Hi,
>
> you can take inspiration from the function called "check_file_callback"
> here:
> https://github.com/spamhaus/rspamd-dqs/blob/master/2.x/rspamd.local.lua#L97
>
> Depending on the type of the hash you have you'll probably need to
> adjust the "local filehash" line #103
>
As I have said, this is a wrong approach as it is alien to Rspamd
architecture and requires lot's of extra work (e.g. multiple sha256
calculations). Here is the correct one:
spamhaus_dqs_hbl {
symbol = "HBL_FILE_UNKNOWN";
rbl = "_file.{= SPAMHAUS_DQS_KEY =}.hbl.dq.spamhaus.net.";
selector = "attachments('rbase32', 'sha256')";
ignore_whitelist = true;
ignore_defaults = true;
returncodes {
HBL_FILE_MALICIOUS = "127.0.3.10";
HBL_FILE_SUSPICIOUS = "127.0.3.15";
}
}
Then you can specify SPAMHAUS_DQS_KEY via environment when you start
Rspamd to avoid key leak via configuration.
This works with 2.6 only, however.
More information about the Users
mailing list