[Rspamd-Users] Regarding Malicious File blocking using hashes in rspamd
Venkata Ganesh Raju Malyala
ganesh.malyala at gmail.com
Fri Oct 23 16:31:38 UTC 2020
Thank you for the reply Thomas and Christos. Do you have any reference site
with steps to integrate rspamd to work with malware bazaar.
I was actually looking for a particular directory under which I can keep a
manually regularly updated file so that rspamd will automatically check
hashes of incoming mails and their attachments and block those malicious
hashes that are in the file.
Thank you
Ganesh
On Wed, Oct 21, 2020 at 10:42 PM Christos Chatzaras <chris at cretaforce.gr>
wrote:
>
> > I use the following for the malware hashes from abuse.ch in my
> multimap.conf:
> >
> > ABUSE_FEODO_MD5_full {
> > # match md5sum hashes
> > type = "selector";
> > selector = "attachments(hex,md5)";
> > map = "${LOCAL_CONFDIR}/maps/abuse_bazaar_full.txt";
> > symbol = "ABUSE_MALWAREBAZAR_MD5_FULL";
> > score = 7.0;
> > }
> >
> > did not catch a file since I activated this, but I have a very low
> traffic server.....
>
>
> I just add it to my rspamd setup.
>
> This blocked immediately from clamav:
>
> 2020-10-21 19:49:44 #856(normal) <c80ce3>; task; rspamd_task_write_log:
> id: <undef>, qid: <A30E865A4AD>, ip: 210.245.92.234, from: <
> hau.nguyen at adrem.com.vn>, (default: T (reject): [10.00/15.00]
> [ABUSE_MALWAREBAZAR_MD5_FULL(7.00){8715ec33d3b4bbbba583bfd7d7abd26e;},MISSING_MID(2.50){},SUBJECT_ENDS_SPACES(0.50){},MIME_HTML_ONLY(0.20){},R_SPF_ALLOW(-0.20){+mx;},MIME_GOOD(-0.10){multipart/mixed;},RCVD_NO_TLS_LAST(0.10){},ASN(0.00){asn:18403,
> ipnet:210.245.92.0/24,
> country:VN;},CLAM_VIRUS(0.00){Doc.Dropper.EmotetiBlueUpdate1020-9780531-0;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_AS(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;},PREVIOUSLY_DELIVERED(0.00){
> info at example.com
> ;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RWL_MAILSPIKE_GOOD(0.00){210.245.92.234:from;},R_DKIM_NA(0.00){},SENDER_REP_SPAM(0.00){asn:
> 18403(0.40), country: VN(0.01), ip:
> 210.245.92.234(0.00);},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]),
> len: 266347, time: 471.924ms, dns req: 22, dig
> est: <615f1c22b52768ff9a748ae861b61cf9>, rcpts: <info at example.com>,
> mime_rcpts: <info at example.com>, forced: reject "clamav: virus found:
> "Doc.Dropper.EmotetiBlueUpdate1020-9780531-0""; score=nan (set by clamav)
>
> This had already high score so it would be rejected even without
> malwarebazar:
>
> 2020-10-21 19:57:47 #856(normal) <f61e55>; task; rspamd_task_write_log:
> id: <20201021095743.A6F1DE4EED2E21E9 at yahoo.com.sg>, qid: <3726965A4A9>,
> ip: 204.16.247.82, from: <feiyue_lighting at yahoo.com.sg>, (default: T
> (reject): [47.20/15.00]
> [ABUSE_MALWAREBAZAR_MD5_FULL(14.00){4f5e7938c34a9d2b2b06a9042fd0e731;},FUZZY_DENIED(10.51){1:25fa53b56e:1.00:bin;},ONCE_RECEIVED_STRICT(4.00){},RBL_NIXSPAM(4.00){204.16.247.82:
> from;},HFILTER_HOSTNAME_UNKNOWN(2.50){},DMARC_POLICY_REJECT(2.00){
> yahoo.com.sg : No valid SPF, No valid
> DKIM;reject;},RBL_MAILSPIKE_WORST(2.00){204.16.247.82:
> from;},RBL_SENDERSCORE(2.00){204.16.247.82:
> from;},RBL_VIRUSFREE_BOTNET(2.00){204.16.247.82:from;},BAYES_SPAM(1.49){85.77%;},RDNS_NONE(1.00){},R_NO_SPACE_IN_FROM(1.00){},SUBJECT_ENDS_SPACES(0.50){},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/mixed;},ONCE_RECEIVED(0.10){},ARC_NA(0.00){},ASN(0.00){asn:20326,
> ipnet:204.16.247.0/24, country:US;},FREEMAIL_ENVFROM(0.00){yahoo.com.sg
> ;},FREEMAIL_FROM(0.00){yahoo.com.sg;},FROM_
> EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},IP_SCORE_FREEMAIL(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;3:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NEUTRAL(0.00){?all;},SENDER_REP_SPAM(0.00){asn:
> 20326(0.40), country: US(-0.00), ip:
> 204.16.247.82(0.99);},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]),
> len: 122535, time: 502.797ms, dns req: 25, digest:
> <67f37e96aa4834430bea63eef451f62a>, rcpts: <info at example.com>,
> mime_rcpts: <info at example.com>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>
More information about the Users
mailing list