[Rspamd-Users] Regarding Malicious File blocking using hashes in rspamd

Wed Oct 21 17:12:02 UTC 2020

> I use the following for the malware hashes from abuse.ch in my multimap.conf:
> 
> ABUSE_FEODO_MD5_full {
>   # match md5sum hashes
>   type = "selector";
>   selector = "attachments(hex,md5)";
>   map = "${LOCAL_CONFDIR}/maps/abuse_bazaar_full.txt";
>   symbol = "ABUSE_MALWAREBAZAR_MD5_FULL";
>   score = 7.0;
> }
> 
> did not catch a file since I activated this, but I have a very low traffic server.....

I just add it to my rspamd setup.

This blocked immediately from clamav:

2020-10-21 19:49:44 #856(normal) <c80ce3>; task; rspamd_task_write_log: id: <undef>, qid: <A30E865A4AD>, ip: 210.245.92.234, from: <hau.nguyen at adrem.com.vn>, (default: T (reject): [10.00/15.00] [ABUSE_MALWAREBAZAR_MD5_FULL(7.00){8715ec33d3b4bbbba583bfd7d7abd26e;},MISSING_MID(2.50){},SUBJECT_ENDS_SPACES(0.50){},MIME_HTML_ONLY(0.20){},R_SPF_ALLOW(-0.20){+mx;},MIME_GOOD(-0.10){multipart/mixed;},RCVD_NO_TLS_LAST(0.10){},ASN(0.00){asn:18403, ipnet:210.245.92.0/24, country:VN;},CLAM_VIRUS(0.00){Doc.Dropper.EmotetiBlueUpdate1020-9780531-0;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_AS(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;},PREVIOUSLY_DELIVERED(0.00){info at example.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RWL_MAILSPIKE_GOOD(0.00){210.245.92.234:from;},R_DKIM_NA(0.00){},SENDER_REP_SPAM(0.00){asn: 18403(0.40), country: VN(0.01), ip: 210.245.92.234(0.00);},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 266347, time: 471.924ms, dns req: 22, digest: <615f1c22b52768ff9a748ae861b61cf9>, rcpts: <info at example.com>, mime_rcpts: <info at example.com>, forced: reject "clamav: virus found: "Doc.Dropper.EmotetiBlueUpdate1020-9780531-0""; score=nan (set by clamav)

This had already high score so it would be rejected even without malwarebazar:

2020-10-21 19:57:47 #856(normal) <f61e55>; task; rspamd_task_write_log: id: <20201021095743.A6F1DE4EED2E21E9 at yahoo.com.sg>, qid: <3726965A4A9>, ip: 204.16.247.82, from: <feiyue_lighting at yahoo.com.sg>, (default: T (reject): [47.20/15.00] [ABUSE_MALWAREBAZAR_MD5_FULL(14.00){4f5e7938c34a9d2b2b06a9042fd0e731;},FUZZY_DENIED(10.51){1:25fa53b56e:1.00:bin;},ONCE_RECEIVED_STRICT(4.00){},RBL_NIXSPAM(4.00){204.16.247.82:from;},HFILTER_HOSTNAME_UNKNOWN(2.50){},DMARC_POLICY_REJECT(2.00){yahoo.com.sg : No valid SPF, No valid DKIM;reject;},RBL_MAILSPIKE_WORST(2.00){204.16.247.82:from;},RBL_SENDERSCORE(2.00){204.16.247.82:from;},RBL_VIRUSFREE_BOTNET(2.00){204.16.247.82:from;},BAYES_SPAM(1.49){85.77%;},RDNS_NONE(1.00){},R_NO_SPACE_IN_FROM(1.00){},SUBJECT_ENDS_SPACES(0.50){},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/mixed;},ONCE_RECEIVED(0.10){},ARC_NA(0.00){},ASN(0.00){asn:20326, ipnet:204.16.247.0/24, country:US;},FREEMAIL_ENVFROM(0.00){yahoo.com.sg;},FREEMAIL_FROM(0.00){yahoo.com.sg;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},IP_SCORE_FREEMAIL(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;3:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NEUTRAL(0.00){?all;},SENDER_REP_SPAM(0.00){asn: 20326(0.40), country: US(-0.00), ip: 204.16.247.82(0.99);},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 122535, time: 502.797ms, dns req: 25, digest: <67f37e96aa4834430bea63eef451f62a>, rcpts: <info at example.com>, mime_rcpts: <info at example.com>