[Rspamd-Users] Multimap filter "extension" does recognize .laf as .exe

Thomas Plant thomas at plant.systems
Wed May 6 14:11:27 UTC 2020 

For a Test a renamed the file to .txt but it still reveals an .exe in
the file.

Debugging the multimap module shows that it did find a 'detected.exe' in
the file....

2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:619: apply filter extension for rule FILENAME_BLACKLISTED:
AG200413-20200430 Frontansicht PWC V2 - Kopie.txt -> txt
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value txt for multimap FILENAME_BLACKLISTED
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:897: detected filename detected.exe
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:619: apply filter extension for rule FILENAME_BLACKLISTED:
detected.exe -> exe
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value exe for multimap FILENAME_BLACKLISTED
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value thomas.plant at web.de for multimap
FILENAME_BLACKLISTED_FROM_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value web.de for multimap
FILENAME_BLACKLISTED_FROM_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value thomas.plant for multimap
FILENAME_BLACKLISTED_FROM_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value thomas at plant.systems for multimap
FILENAME_BLACKLISTED_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value plant.systems for multimap
FILENAME_BLACKLISTED_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value thomas for multimap FILENAME_BLACKLISTED_WL
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:619: apply filter extension for rule MSOFFICE_EXTENSION:
AG200413-20200430 Frontansicht PWC V2 - Kopie.txt -> txt
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:437: check value txt for multimap MSOFFICE_EXTENSION
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:897: detected filename detected.exe
2020-05-06 15:58:53 #27427(rspamd_proxy) <b9ef05>; multimap;
multimap.lua:619: apply filter extension for rule MSOFFICE_EXTENSION:
detected.exe -> exe

Our Customer swears that there is no exe contained in the file, it
merely contains "translations of labeling of a switch cabinet".
Seems he is wrong, or could this be a false positive on Rspamd side?

Thomas



On 06.05.20 10:26, Thomas Plant via Users wrote:
> Hello, need help on this.
>
> I have a multimap to detect certain file extension and to block them:
>
> file_name_blacklisted {
>     type = "filename";
>     filter = "extension";
>     symbol = "FILE_NAME_BLACKLISTED";
>     map = "${LOCAL_CONFDIR}/maps/filename.map";
>     description = "List of forbidden filename extensions.";
> }
>
> Which I later combine in a force_action.conf to whitelist some
> recipients who want receive every junk comes in.
> But this is not the problem, I think.
>
> When I send the file with the following name:
> AG200413-20200430 Frontansicht PWC V2.LAF
>
> I get the symbol configured above "FILE_NAME_BLACKLISTED" and thus the
> mail is rejected by the force_action rule.
> FILE_NAME_BLACKLISTED(0.00){exe;}
>
> The maps/filename.map does not contain this extension. Here is its content:
> bat
> cmd
> com
> cpl
> exe
> jar
> js
> jse
> lnk
> lnk
> msi
> msp
> pif
> ps1
> ps1xml
> ps2
> ps2xml
> psc1
> psc2
> reg
> scf
> scr
> vb
> vbe
> vbs
> ws
> wsc
> wsf
> wsh
> iso
>
>
> Mime Type of the seems correct to me:
>
> --------------B0C7E10E0252B01A3CCFAC2F
> Content-Type: application/octet-stream;
>  name="AG200413-20200430 Frontansicht PWC V2.LAF"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>  filename="AG200413-20200430 Frontansicht PWC V2.LAF"
>
> MjAwMyBMYWZlciBTLnIubCBGYXN0T25lIC0gZmlsZSBWZXJzaW9uID02MCAgICAgICAgICAg
> ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
>
>
>
> If anybody could help me shade some light on this.
> Thanks,
> Thomas
>

More information about the Users mailing list