[Rspamd-Users] Regarding Malicious File blocking using hashes in rspamd

Vsevolod Stakhov vsevolod at rspamd.com
Tue Jul 14 11:51:32 UTC 2020

On 14/07/2020 12:29, Riccardo Alfieri wrote:
> On 14/07/20 12:52, Venkata Ganesh Raju Malyala wrote:
>> Hello everyone,
>> Can someone advise blocking malicious files/ attachments in rspamd if we
>> have a set of malicious file hashes.
> Hi,
> you can take inspiration from the function called "check_file_callback"
> here:
> https://github.com/spamhaus/rspamd-dqs/blob/master/2.x/rspamd.local.lua#L97
> Depending on the type of the hash you have you'll probably need to
> adjust the "local filehash" line #103

As I have said, this is a wrong approach as it is alien to Rspamd
architecture and requires lot's of extra work (e.g. multiple sha256
calculations). Here is the correct one:

spamhaus_dqs_hbl {
  symbol = "HBL_FILE_UNKNOWN";
  rbl = "_file.{= SPAMHAUS_DQS_KEY =}.hbl.dq.spamhaus.net.";
  selector = "attachments('rbase32', 'sha256')";
  ignore_whitelist = true;
  ignore_defaults = true;
  returncodes {

Then you can specify SPAMHAUS_DQS_KEY via environment when you start
Rspamd to avoid key leak via configuration.

This works with 2.6 only, however.

More information about the Users mailing list