[Rspamd-Users] Finetune MIME_BAD_EXTENSION reject

[Carsten Rosenberg]

On 24.02.21 11:06, Sandy Drobic wrote:
> I have a bit of trouble to finetune the rejects of doc or docx documents.
> These are not in my configured list of extensions to reject, but get rejected
> anyway due to being labeled with MIME_BAD_EXTENSION.
> 
> 
> *MIME_BAD_EXTENSION* (0.2) [docx]
> *MIME_GOOD* (-0.1)
> [multipart/mixed,multipart/related,multipart/alternative,text/plain]
> *RCVD_IN_DNSWL_LOW* (-0.1) [x.x.x.x:from]
> *FROM_EQ_ENVFROM* (0)**
> *REPLYTO_DOM_EQ_FROM_DOM* (0)
> *RWL_MAILSPIKE_VERYGOOD* (0) [208.84.65.78:from]
> *FROM_HAS_DN* (0)
> *HAS_REPLYTO* (0) [example.com]
> *R_DKIM_NA* (0)
> *FORCE_ACTION_REJECT_MIME_BAD* (0) [reject]
> *MIME_TRACE* (0) [0:+,1:+,2:+,3:+,4:~,5:-,5:~]
> 
> 
> So I have mails with decent check-results but will get rejected because of this.
> 
> local.d/force_actions.conf:
> rules {
> REJECT_MIME_BAD {
>     action = "reject"
>     expression =  MIME_BAD_EXTENSION;
>     message = "Attachment rejected"
>   }
> 
> # This will reject the mail with a proper explanation.
> 
> mimetypes.conf:
> bad_extensions = {
>   lnk = 20,
>   exe = 20,
>   jar = 20,
>   com = 20,
>   bat = 20,
>   ace = 20,
>   arj = 20,
>   cab = 20,
>   vbs = 20
> }
> 
> # There should be  no .doc or .docx here to trigger MIME_BAD_EXTENSION.
> Do I need a rule to whitelist office documents?
> At the moment I can probably only disable the rule in force_actions.conf, but
> then the reject will go back to the default and call it a spam mail.
> 
> Greetings
> Sandy

Hey,

Best option is not to use the mime_types plugin to reject bad
extensions. Setting high scores here will end up in learning mails from
good senders with bad attachments.

Use multimap to match extensions and use the mime_types plugin with
default settings. The multimap extension filter also matches on file
extenstions and mime_types.

--
Carsten