[Rspamd-Users] Multimap filter "extension" does recognize .laf as .exe

Thomas Plant thomas at plant.systems
Tue May 12 13:38:20 UTC 2020


Am 07.05.2020 um 09:52 schrieb Alexander Moisseev via Users:
> 07.05.2020 10:19, Thomas Plant via Users пишет:
>>
>> Out of my curiosity, how does rspamd detect if there is a executable
>> file in a file?
>>
> Rspamd detects attachment file type by magic number. If it is an
> archive and the archive type is supported by Rspamd then Rspamd gets a
> list of file names from the archive and checks file extensions.
>
I contacted the software company whom program creates these files. As of
them this is not an archive and does not contain an executable file.
They wrote the first 128 Bytes of the file are as following:

32 30 30 33 20 4C 61 66 65 72 20 53 2E 72 2E 6C 20 46 61 73 74 4F 6E 65
20 2D 20 66 69 6C 65 20 56 65 72 73 69 6F 6E 20 3D 36 30 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20

Which correspond to this string: "2003 Lafer S.r.l FastOne - file
Version =60 "
It's just their company name and version.

Can we somehow analyze this? I could post an example file if someone
would be willing to examine it.
Or is this file simply bad structured?


More information about the Users mailing list