[Rspamd-Users] Finetune MIME_BAD_EXTENSION reject

Sandy Drobic rspamd at drobic.de
Wed Feb 24 10:06:55 UTC 2021


I have a bit of trouble to finetune the rejects of doc or docx documents.
These are not in my configured list of extensions to reject, but get rejected
anyway due to being labeled with MIME_BAD_EXTENSION.


*MIME_BAD_EXTENSION* (0.2) [docx]
*MIME_GOOD* (-0.1)
[multipart/mixed,multipart/related,multipart/alternative,text/plain]
*RCVD_IN_DNSWL_LOW* (-0.1) [x.x.x.x:from]
*FROM_EQ_ENVFROM* (0)**
*REPLYTO_DOM_EQ_FROM_DOM* (0)
*RWL_MAILSPIKE_VERYGOOD* (0) [208.84.65.78:from]
*FROM_HAS_DN* (0)
*HAS_REPLYTO* (0) [example.com]
*R_DKIM_NA* (0)
*FORCE_ACTION_REJECT_MIME_BAD* (0) [reject]
*MIME_TRACE* (0) [0:+,1:+,2:+,3:+,4:~,5:-,5:~]


So I have mails with decent check-results but will get rejected because of this.

local.d/force_actions.conf:
rules {
REJECT_MIME_BAD {
    action = "reject"
    expression =  MIME_BAD_EXTENSION;
    message = "Attachment rejected"
  }

# This will reject the mail with a proper explanation.

mimetypes.conf:
bad_extensions = {
  lnk = 20,
  exe = 20,
  jar = 20,
  com = 20,
  bat = 20,
  ace = 20,
  arj = 20,
  cab = 20,
  vbs = 20
}

# There should be  no .doc or .docx here to trigger MIME_BAD_EXTENSION.
Do I need a rule to whitelist office documents?
At the moment I can probably only disable the rule in force_actions.conf, but
then the reject will go back to the default and call it a spam mail.

Greetings
Sandy




More information about the Users mailing list