[Rspamd-Users] Need some help with FILENAME_BLACKLISTED

Mon Sep 5 09:47:08 UTC 2022

Hi there,

On Mon, 5 Sep 2022, Andreas Wass - Glas Gasperlmair wrote:

> wanna reject emails wich include filenames with double extensions like 
> "Testfile.xlsx.txt" an so on.
>
> In my multimap.conf i added following definition
>
> FILENAME_BLACKLISTED {
>   type = "filename";
>   filter = "extension";
>   map = "${LOCAL_CONFDIR}/local.d/gasp_filename_blacklist.map";
>   action = "reject";
>   message = "A restricted file type was found";
> }
>
> in my gasp_filename_blacklist.map i added this string:
>
> xlsx.txt
>
> But this does not work.
> It seems to work with simple extensions like "Filename.test"
>
> Can somebody help me?

I suspect that the concept of a filename "extension" may be different
depending upon which chair you happen to be sitting.  In the Windows
world the extension is something which can have important effects on
how the operating system behaves, and, for a very long time, naming
files with deliberately incorrect extensions has been a trick used by
criminals to compromise victim computers.  In the Unix world, things
are a bit different: extensions in filenames don't in themselves mean
anything in particular, although file (and directory) names can be and
very often are used in curious ways.  Filenames which begin with a dot
for example are treated as "hidden" by Unix-like systems.  Windows has
its own ways of hiding files, which are different.  It doesn't matter
to a Unix box if a text file is called "something.exe"; it will never
try to execute it just because the name of the file ends with the four
characters '.', 'e', 'x' and 'e' in precisely that order.

What follows below is largely guesswork.  It might help until someone
who knows more about this comes along.

Looking at the documentation at

https://rspamd.com/doc/modules/multimap.html#map-filters

I do not see the concept explicitly defined but I surmise that it's
something along the lines of "everything after the last dot in the
string which contains the filename".  In the case of your example I
would take that to mean "txt" and not "xlsx.txt".  So you could in
that case block files which were called "abc.img" or "xyz.rar" but not
files called "something.rar.img" or "anything.pdf.exe" - both of which
are the sort of thing which we see quite a lot here, but we do not use
rspamd to detect them so I have no experience with its configuration.

In the rspamd configuration documentation I see that you can give a
regex instead of a string.  I wonder if you might have more luck with
that option.  I'd try something like

regexp:/xlsx.txt/

but note that in theory this will also match for example "xlsxAtxt"
because in a regex a dot usually matches any more or less character.

regexp:/xlsx\.txt/

would match a literal dot in the name but I don't know how that might
affect the thing which decides exactly what the "extension" is.

Again because I haven't used this at all I don't know if the regex
would need to match the entire filename string, so you might still
need to experiment for example with things like

regexp:/.*xlsx.txt/
regexp:/.*xlsx\.txt/

and so on.  I'd be interested to know if any of my guesswork is close
to being correct.

HTH

-- 

73,
Ged.