[Rspamd-Users] Need some help with FILENAME_BLACKLISTED

Mon Sep 5 11:22:22 UTC 2022

Hi,

thank you for your input, now it works fine:

multimap.conf

FILENAME_BLACKLISTED {
   type = "filename";
   filter = "regexp:/.*/";
   map = "${LOCAL_CONFDIR}/local.d/gasp_filename_blacklist.map";
   action = "reject";
   message = "A restricted file type was found";
   regexp = true;
}

gasp_filename_blacklist.map:

\.xlsx\.txt

Am 05.09.2022 um 11:47 schrieb G.W. Haywood via Users:
> Hi there,
>
> On Mon, 5 Sep 2022, Andreas Wass - Glas Gasperlmair wrote:
>
>> wanna reject emails wich include filenames with double extensions 
>> like "Testfile.xlsx.txt" an so on.
>>
>> In my multimap.conf i added following definition
>>
>> FILENAME_BLACKLISTED {
>>   type = "filename";
>>   filter = "extension";
>>   map = "${LOCAL_CONFDIR}/local.d/gasp_filename_blacklist.map";
>>   action = "reject";
>>   message = "A restricted file type was found";
>> }
>>
>> in my gasp_filename_blacklist.map i added this string:
>>
>> xlsx.txt
>>
>> But this does not work.
>> It seems to work with simple extensions like "Filename.test"
>>
>> Can somebody help me?
>
> I suspect that the concept of a filename "extension" may be different
> depending upon which chair you happen to be sitting.  In the Windows
> world the extension is something which can have important effects on
> how the operating system behaves, and, for a very long time, naming
> files with deliberately incorrect extensions has been a trick used by
> criminals to compromise victim computers.  In the Unix world, things
> are a bit different: extensions in filenames don't in themselves mean
> anything in particular, although file (and directory) names can be and
> very often are used in curious ways.  Filenames which begin with a dot
> for example are treated as "hidden" by Unix-like systems.  Windows has
> its own ways of hiding files, which are different.  It doesn't matter
> to a Unix box if a text file is called "something.exe"; it will never
> try to execute it just because the name of the file ends with the four
> characters '.', 'e', 'x' and 'e' in precisely that order.
>
> What follows below is largely guesswork.  It might help until someone
> who knows more about this comes along.
>
> Looking at the documentation at
>
> https://rspamd.com/doc/modules/multimap.html#map-filters
>
> I do not see the concept explicitly defined but I surmise that it's
> something along the lines of "everything after the last dot in the
> string which contains the filename".  In the case of your example I
> would take that to mean "txt" and not "xlsx.txt".  So you could in
> that case block files which were called "abc.img" or "xyz.rar" but not
> files called "something.rar.img" or "anything.pdf.exe" - both of which
> are the sort of thing which we see quite a lot here, but we do not use
> rspamd to detect them so I have no experience with its configuration.
>
> In the rspamd configuration documentation I see that you can give a
> regex instead of a string.  I wonder if you might have more luck with
> that option.  I'd try something like
>
> regexp:/xlsx.txt/
>
> but note that in theory this will also match for example "xlsxAtxt"
> because in a regex a dot usually matches any more or less character.
>
> regexp:/xlsx\.txt/
>
> would match a literal dot in the name but I don't know how that might
> affect the thing which decides exactly what the "extension" is.
>
> Again because I haven't used this at all I don't know if the regex
> would need to match the entire filename string, so you might still
> need to experiment for example with things like
>
> regexp:/.*xlsx.txt/
> regexp:/.*xlsx\.txt/
>
> and so on.  I'd be interested to know if any of my guesswork is close
> to being correct.
>
> HTH
>