you can test it here:
https://www.heise.de/security/dienste/Mails-mit-Anhaengen-777837.html
Mails with attachments like DOC or DOC with macros are still delivered by Rspamd.
1 Like
Could you add the maillog transaction of the email you received please
- Case: DOC without Macros
https://www.heise.de/security/dienste/emailcheck/attachments/test_doc/
Zusammenfassung
Oct 21 16:48:31 ns-srv01 postfix/smtpd[29356]: connect from web.heise.de[193.99.144.71]
Oct 21 16:48:31 ns-srv01 rspamd[5520]: <e610b8>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Oct 21 16:48:31 ns-srv01 postfix/smtpd[29356]: 284A881056F3: client=web.heise.de[193.99.144.71]
Oct 21 16:48:31 ns-srv01 rspamd[5520]: <e610b8>; milter; rspamd_milter_process_command: got connection from 193.99.144.71:54030
Oct 21 16:48:31 ns-srv01 postfix/cleanup[29363]: 284A881056F3: message-id=<E1kVFPj-0004mf-0z.octo14@web.heise.de>
Oct 21 16:48:31 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_message_parse: loaded message; id: <E1kVFPj-0004mf-0z.octo14@web.heise.de>; queue-id: <284A881056F3>; size: 1368; checksum: <28c10ed71f696b1fe902dadd863fec44>
Oct 21 16:48:31 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_mime_text_part_utf8_convert: converted from ISO-8859-1 to UTF-8 inlen: 824, outlen: 831 (824 UTF16 chars)
Oct 21 16:48:31 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_mime_part_detect_language: detected part language: de
Oct 21 16:48:32 ns-srv01 rspamd[5520]: <e610b8>; proxy; spf_plugin_callback: stored record for ct.de (0x1603212fd0f244d6) in LRU cache for 600 seconds, 17/2000 elements in the cache
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 94; 200 required
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 85; 200 required
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; lua; greylist.lua:298: Score too low - skip greylisting
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_task_write_log: id: <E1kVFPj-0004mf-0z.octo14@web.heise.de>, qid: <284A881056F3>, ip: 193.99.144.71, from: <emailcheck-robot@ct.de>, (default: F (no action): [-0.81/20.00] [RCVD_IN_DNSWL_HI(-0.50){193.99.144.71:from;},R_SPF_ALLOW(-0.20){+ip4:193.99.144.0/24;},MIME_GOOD(-0.10){text/plain;},MX_GOOD(-0.01){cached: secondarymx.heise.de;},ASN(0.00){asn:12306, ipnet:193.99.144.0/24, country:DE;},DMARC_NA(0.00){ct.de;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.5535323555615;},IP_REPUTATION_HAM(0.00){asn: 12306(-0.22), country: DE(0.01), ip: 193.99.144.71(-0.55);},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_GOOD(0.00){193.99.144.71:from;},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1368, time: 1883.040ms, dns req: 21, digest: <28c10ed71f696b1fe902dadd863fec44>, rcpts: <marko.dargel@myancestry.de>, mime_rcpts: <marko.dargel@myancestry.de>
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <e610b8>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 4 regexps matched, 184 regexps total, 94 regexps cached, 0B scanned using pcre, 3.40KiB scanned total
Oct 21 16:48:33 ns-srv01 postfix/qmgr[5249]: 284A881056F3: from=<emailcheck-robot@ct.de>, size=1605, nrcpt=1 (queue active)
Oct 21 16:48:33 ns-srv01 postfix/smtpd[29356]: disconnect from web.heise.de[193.99.144.71]
Oct 21 16:48:33 ns-srv01 rspamd[5520]: <4bc476>; proxy; proxy_milter_finish_handler: finished milter connection
Oct 21 16:48:33 ns-srv01 dovecot: lmtp(30167): Connect from local
Oct 21 16:48:33 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): save: box=INBOX, uid=424, msgid=<E1kVFPj-0004mf-0z.octo14@web.heise.de>, from=Heise Emailcheck <emailcheck-robot@ct.de>, subject==?iso-8859-1?Q?URL_f=FCr_Heise_Emailcheck?=, flags=()
Oct 21 16:48:33 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): +N5HBEFKkF/XdQAAr2bkHA: sieve: msgid=<E1kVFPj-0004mf-0z.octo14@web.heise.de>: stored mail into mailbox 'INBOX'
Oct 21 16:48:33 ns-srv01 postfix/lmtp[30166]: 284A881056F3: to=<myancestry_marko_dargel@dargels.de>, orig_to=<marko.dargel@myancestry.de>, relay=ns-srv01.dargels.de[/var/run/dovecot/lmtp], delay=1.9, delays=1.9/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <myancestry_marko_dargel@dargels.de> +N5HBEFKkF/XdQAAr2bkHA Saved)
Oct 21 16:48:33 ns-srv01 postfix/qmgr[5249]: 284A881056F3: removed
Oct 21 16:48:33 ns-srv01 dovecot: lmtp(30167): Disconnect from local: Successful quit
Oct 21 16:48:47 ns-srv01 postfix/smtpd[29356]: connect from web.heise.de[193.99.144.71]
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Oct 21 16:48:47 ns-srv01 postfix/smtpd[29356]: A9AAD81056F3: client=web.heise.de[193.99.144.71]
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; milter; rspamd_milter_process_command: got connection from 193.99.144.71:41840
Oct 21 16:48:47 ns-srv01 postfix/cleanup[29363]: A9AAD81056F3: message-id=<E1kVFPz-0007fo-K3.octo12@web.heise.de>
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_message_parse: loaded message; id: <E1kVFPz-0007fo-K3.octo12@web.heise.de>; queue-id: <A9AAD81056F3>; size: 42636; checksum: <ec335e498842f1cb30158ec5df97e408>
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_mime_text_part_utf8_convert: converted from ISO-8859-1 to UTF-8 inlen: 329, outlen: 330 (329 UTF16 chars)
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_mime_part_detect_language: detected part language: de
Oct 21 16:48:47 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; spf_check_list: use cached record for ct.de (0x1603212fd0f244d6) in LRU cache for 584 seconds, 17/2000 elements in the cache
Oct 21 16:48:49 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 94; 200 required
Oct 21 16:48:49 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 85; 200 required
Oct 21 16:48:49 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Oct 21 16:48:50 ns-srv01 rspamd[5520]: <b6e8cd>; lua; greylist.lua:298: Score too low - skip greylisting
Oct 21 16:48:50 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_task_write_log: id: <E1kVFPz-0007fo-K3.octo12@web.heise.de>, qid: <A9AAD81056F3>, ip: 193.99.144.71, from: <emailcheck-robot@ct.de>, (default: F (no action): [-0.80/20.00] [RCVD_IN_DNSWL_HI(-0.50){193.99.144.71:from;},R_SPF_ALLOW(-0.20){+ip4:193.99.144.0/24:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){cached: secondarymx.heise.de;},XM_UA_NO_VERSION(0.01){},ASN(0.00){asn:12306, ipnet:193.99.144.0/24, country:DE;},DMARC_NA(0.00){ct.de;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.55353253305781;},HAS_ATTACHMENT(0.00){},IP_REPUTATION_HAM(0.00){asn: 12306(-0.22), country: DE(0.01), ip: 193.99.144.71(-0.55);},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_GOOD(0.00){193.99.144.71:from;},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 42636, time: 2335.916ms, dns req: 16, digest: <ec335e498842f1cb30158ec5df97e408>, rcpts: <marko.dargel@myancestry.de>, mime_rcpts: <marko.dargel@myancestry.de>
Oct 21 16:48:50 ns-srv01 rspamd[5520]: <b6e8cd>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 93 regexps cached, 0B scanned using pcre, 1.79KiB scanned total
Oct 21 16:48:50 ns-srv01 postfix/qmgr[5249]: A9AAD81056F3: from=<emailcheck-robot@ct.de>, size=42871, nrcpt=1 (queue active)
Oct 21 16:48:50 ns-srv01 dovecot: lmtp(30167): Connect from local
Oct 21 16:48:50 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): save: box=INBOX, uid=425, msgid=<E1kVFPz-0007fo-K3.octo12@web.heise.de>, from=Heise Emailcheck <emailcheck-robot@ct.de>, subject=Heise Emailcheck: DOC-Datei txmgtvg, flags=()
Oct 21 16:48:50 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): mO7QAlJKkF/XdQAAr2bkHA: sieve: msgid=<E1kVFPz-0007fo-K3.octo12@web.heise.de>: stored mail into mailbox 'INBOX'
Oct 21 16:48:50 ns-srv01 dovecot: lmtp(30167): Disconnect from local: Successful quit
Oct 21 16:48:50 ns-srv01 postfix/lmtp[30166]: A9AAD81056F3: to=<myancestry_marko_dargel@dargels.de>, orig_to=<marko.dargel@myancestry.de>, relay=ns-srv01.dargels.de[/var/run/dovecot/lmtp], delay=2.4, delays=2.4/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <myancestry_marko_dargel@dargels.de> mO7QAlJKkF/XdQAAr2bkHA Saved)
Oct 21 16:48:50 ns-srv01 postfix/qmgr[5249]: A9AAD81056F3: removed
Oct 21 16:48:50 ns-srv01 postfix/smtpd[29356]: disconnect from web.heise.de[193.99.144.71]
Oct 21 16:48:50 ns-srv01 rspamd[5520]: <cfaa22>; proxy; proxy_milter_finish_handler: finished milter connection
Oct 21 16:49:44 ns-srv01 rspamd[5521]: <wqiapi>; lua; bayes_expiry.lua:437: finished expiry step 54: 968 items checked, 142 significant (0 made persistent), 2 insignificant (0 ttls set), 1 common (0 discriminated), 823 infrequent (25 ttls set), 2 mean, 4 std
- Case: DOC with macro: https://www.heise.de/security/dienste/emailcheck/attachments/test_doc_macro/
Zusammenfassung
Oct 21 16:56:05 ns-srv01 postfix/smtpd[1796]: connect from web.heise.de[193.99.144.71]
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Oct 21 16:56:05 ns-srv01 postfix/smtpd[1796]: D52D48102F33: client=web.heise.de[193.99.144.71]
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; milter; rspamd_milter_process_command: got connection from 193.99.144.71:44036
Oct 21 16:56:05 ns-srv01 postfix/cleanup[1800]: D52D48102F33: message-id=<E1kVFX3-0003gP-Pn.octo05@web.heise.de>
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_message_parse: loaded message; id: <E1kVFX3-0003gP-Pn.octo05@web.heise.de>; queue-id: <D52D48102F33>; size: 53193; checksum: <c4fa55bf15474a82973eb974dfcffd70>
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_mime_text_part_utf8_convert: converted from ISO-8859-1 to UTF-8 inlen: 343, outlen: 344 (343 UTF16 chars)
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_mime_part_detect_language: detected part language: de
Oct 21 16:56:05 ns-srv01 rspamd[5520]: <85f860>; proxy; spf_check_list: use cached record for ct.de (0x1603212fd0f244d6) in LRU cache for 146 seconds, 17/2000 elements in the cache
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 85; 200 required
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 94; 200 required
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; lua; greylist.lua:298: Score too low - skip greylisting
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_task_write_log: id: <E1kVFX3-0003gP-Pn.octo05@web.heise.de>, qid: <D52D48102F33>, ip: 193.99.144.71, from: <emailcheck-robot@ct.de>, (default: F (no action): [0.80/20.00] [MIME_BAD_ATTACHMENT(1.60){doc;},RCVD_IN_DNSWL_HI(-0.50){193.99.144.71:from;},R_SPF_ALLOW(-0.20){+ip4:193.99.144.0/24:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){cached: secondarymx.heise.de;},XM_UA_NO_VERSION(0.01){},ASN(0.00){asn:12306, ipnet:193.99.144.0/24, country:DE;},DMARC_NA(0.00){ct.de;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.55353253185648;},HAS_ATTACHMENT(0.00){},IP_REPUTATION_HAM(0.00){asn: 12306(-0.22), country: DE(0.01), ip: 193.99.144.71(-0.55);},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_GOOD(0.00){193.99.144.71:from;},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 53193, time: 228.473ms, dns req: 16, digest: <c4fa55bf15474a82973eb974dfcffd70>, rcpts: <marko.dargel@myancestry.de>, mime_rcpts: <marko.dargel@myancestry.de>
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <85f860>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 93 regexps cached, 0B scanned using pcre, 1.86KiB scanned total
Oct 21 16:56:06 ns-srv01 postfix/qmgr[5249]: D52D48102F33: from=<emailcheck-robot@ct.de>, size=53428, nrcpt=1 (queue active)
Oct 21 16:56:06 ns-srv01 dovecot: lmtp(1809): Connect from local
Oct 21 16:56:06 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): save: box=INBOX, uid=427, msgid=<E1kVFX3-0003gP-Pn.octo05@web.heise.de>, from=Heise Emailcheck <emailcheck-robot@ct.de>, subject=Heise Emailcheck: DOC-Datei mit Makro rixicsv, flags=()
Oct 21 16:56:06 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): +K1SBwZMkF8RBwAAr2bkHA: sieve: msgid=<E1kVFX3-0003gP-Pn.octo05@web.heise.de>: stored mail into mailbox 'INBOX'
Oct 21 16:56:06 ns-srv01 postfix/lmtp[1808]: D52D48102F33: to=<myancestry_marko_dargel@dargels.de>, orig_to=<marko.dargel@myancestry.de>, relay=ns-srv01.dargels.de[/var/run/dovecot/lmtp], delay=0.26, delays=0.26/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 <myancestry_marko_dargel@dargels.de> +K1SBwZMkF8RBwAAr2bkHA Saved)
Oct 21 16:56:06 ns-srv01 dovecot: lmtp(1809): Disconnect from local: Successful quit
Oct 21 16:56:06 ns-srv01 postfix/qmgr[5249]: D52D48102F33: removed
Oct 21 16:56:06 ns-srv01 postfix/smtpd[1796]: disconnect from web.heise.de[193.99.144.71]
Oct 21 16:56:06 ns-srv01 rspamd[5520]: <e2cf47>; proxy; proxy_milter_finish_handler: finished milter connection
- Case: ZIP-File with DOC
https://www.heise.de/security/dienste/emailcheck/attachments/test_zip_doc/
Zusammenfassung
Oct 21 17:00:07 ns-srv01 postfix/smtpd[3270]: connect from web.heise.de[193.99.144.71]
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Oct 21 17:00:07 ns-srv01 postfix/smtpd[3270]: 6B4A98102F33: client=web.heise.de[193.99.144.71]
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; milter; rspamd_milter_process_command: got connection from 193.99.144.71:51810
Oct 21 17:00:07 ns-srv01 postfix/cleanup[3272]: 6B4A98102F33: message-id=<E1kVFax-0006uR-B7.octo10@web.heise.de>
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_message_parse: loaded message; id: <E1kVFax-0006uR-B7.octo10@web.heise.de>; queue-id: <6B4A98102F33>; size: 40042; checksum: <d4522baac7b45b7dc34980a56db8638f>
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_mime_text_part_utf8_convert: converted from ISO-8859-1 to UTF-8 inlen: 321, outlen: 322 (321 UTF16 chars)
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_mime_part_detect_language: detected part language: de
Oct 21 17:00:07 ns-srv01 rspamd[5520]: <af7180>; proxy; spf_check_list: use cached record for ct.de (0x1603212fd0f244d6) in LRU cache for 550 seconds, 17/2000 elements in the cache
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 95; 200 required
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 85; 200 required
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; lua; greylist.lua:298: Score too low - skip greylisting
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_task_write_log: id: <E1kVFax-0006uR-B7.octo10@web.heise.de>, qid: <6B4A98102F33>, ip: 193.99.144.71, from: <emailcheck-robot@ct.de>, (default: F (no action): [-0.80/20.00] [RCVD_IN_DNSWL_HI(-0.50){193.99.144.71:from;},R_SPF_ALLOW(-0.20){+ip4:193.99.144.0/24:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){cached: secondarymx.heise.de;},XM_UA_NO_VERSION(0.01){},ASN(0.00){asn:12306, ipnet:193.99.144.0/24, country:DE;},DMARC_NA(0.00){ct.de;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.55353083695504;},HAS_ATTACHMENT(0.00){},IP_REPUTATION_HAM(0.00){asn: 12306(-0.22), country: DE(0.01), ip: 193.99.144.71(-0.55);},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_GOOD(0.00){193.99.144.71:from;},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 40042, time: 1041.068ms, dns req: 22, digest: <d4522baac7b45b7dc34980a56db8638f>, rcpts: <marko.dargel@myancestry.de>, mime_rcpts: <marko.dargel@myancestry.de>
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <af7180>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 93 regexps cached, 0B scanned using pcre, 1.84KiB scanned total
Oct 21 17:00:08 ns-srv01 postfix/qmgr[5249]: 6B4A98102F33: from=<emailcheck-robot@ct.de>, size=40277, nrcpt=1 (queue active)
Oct 21 17:00:08 ns-srv01 dovecot: lmtp(3277): Connect from local
Oct 21 17:00:08 ns-srv01 postfix/smtpd[3270]: disconnect from web.heise.de[193.99.144.71]
Oct 21 17:00:08 ns-srv01 rspamd[5520]: <c5ae6e>; proxy; proxy_milter_finish_handler: finished milter connection
Oct 21 17:00:08 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): save: box=INBOX, uid=429, msgid=<E1kVFax-0006uR-B7.octo10@web.heise.de>, from=Heise Emailcheck <emailcheck-robot@ct.de>, subject=Heise Emailcheck: ZIP-Archiv mit DOC-Dateien zvniobz, flags=()
Oct 21 17:00:08 ns-srv01 dovecot: lmtp(myancestry_marko_dargel@dargels.de): KHbQHfhMkF/NDAAAr2bkHA: sieve: msgid=<E1kVFax-0006uR-B7.octo10@web.heise.de>: stored mail into mailbox 'INBOX'
Oct 21 17:00:08 ns-srv01 dovecot: lmtp(3277): Disconnect from local: Successful quit
Oct 21 17:00:08 ns-srv01 postfix/lmtp[3276]: 6B4A98102F33: to=<myancestry_marko_dargel@dargels.de>, orig_to=<marko.dargel@myancestry.de>, relay=ns-srv01.dargels.de[/var/run/dovecot/lmtp], delay=1.1, delays=1.1/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <myancestry_marko_dargel@dargels.de> KHbQHfhMkF/NDAAAr2bkHA Saved)
Oct 21 17:00:08 ns-srv01 postfix/qmgr[5249]: 6B4A98102F33: removed
hope it helps.
Sincerely, Marko
Hi,
Case: ZIP-File with DOC
Here it works.
FORBIDDEN_FILE_EXTENSION (0) [doc]
ASN (0) [asn:12306, ipnet:193.99.144.0/24, country:DE]
Regards
Uwe
Please check the settings of rspamd via Cockpit. Take a picture of it and post it here.
I am interested in the settings under the button âAdvancedâ.
Iâm happy now 
Thank you.
1 Like
Live can be so simple⊠
Suddenly it is very easy if you know how to do it.
But actually I thought that oletools can not only block attachments with selected attachments completely, but also anyaliyze the content, whether it contains malicious code or not.
So you donât have to do without document exchange completely, which is usually not possible.
That was the core of my question a few days ago. Now Heise does not send any documents seriously contaminated with Malware, so the test does not say anything about this.
https://www.heinlein-support.de/blog/news/emotet-mit-rspamd-und-oletools-bekaempfen/
Zusammenfassung deutsch
Emotet-Plugin fĂŒr Rspamd
Um oletools wĂ€hrend der Annahme einer E-Mail die bereits angehĂ€ngten Office-Dateien analysieren lassen zu können, haben wir fĂŒr das Anti-Spam Framework Rspamd ein Plugin entwickelt, dass mit einem kleinen Daemon spricht, welcher die Office-Datei von oletools analysieren lĂ€sst.
Es gibt 2 Modi der Erkennung:
1. Automatische Kategorisierung
Hierbei wird der Report der oletools vom Rspamd automatisch ausgewertet. Damit ein Macro-Virus erfolgreich einen Computer infizieren kann, mĂŒssen zwei Bedingungen erfĂŒllt sein. Das Macro muss gestartet werden (AutoExec) und es wird eine Funktion benötigt, die den Schadcode in das System bringt. Funktionen, die das ermöglichen könnten, werden in der Kategorie âSuspiciousâ aufgefĂŒhrt. Kommen in einem Macro beide Kategorien zusammen vor, ist die Wahrscheinlichkeit, dass es sich um einen Virus handelt, recht hoch. Daher meldet das Oletools-Plugin im Rspamd einen erkannten Macro-Virus.
Rspamd-Symbol z.B: OLETOOLS(20.00){AutoExec + Suspicious (autoopen,ShowWindow,CreateObject,Windows);}
2. Erweiterte Kategorisierung
Oletools kennt in seinem Bericht noch weitere Kategorien wie IOC, VBA-Strings, Hex-Strings, die auch auf unerwĂŒnschtes Verhalten hinweisen können. AuĂerdem liefert der oletools-Report die Namen der Funktionen aus der Kategorie Autoexec und Supicious mit. Im extended mode ist es dem Administrator jetzt möglich Kategorien und einzelne Funktionen mit den Boardmitteln des Rspamd zu verknĂŒpfen und weiter zu verarbeiten, so dass eine fein granulĂ€re Filterung möglich ist. Wichtig ist hier zu beachten, dass nach Rspamd-Logik die Kategorien und jede gemeldete Funktion ein einzelner Virus sind. Im unten genannten Beispiel sind das entsprechend 4 Viren. Das muss der Admin im Extended Mode dann auch entsprechend verarbeiten.
Summary englisch
Emotet plugin for Rspamd
To let oletools analyze the already attached office files while accepting an e-mail, we have developed a plugin for the anti-spam framework Rspamd that talks to a small daemon that lets oletools analyze the office file.
There are 2 modes of detection:
- automatic categorization
Here the report of the oletools is automatically evaluated by the Rspamd. For a macro virus to successfully infect a computer, two conditions must be met. The macro must be started (AutoExec) and a function is needed to bring the malicious code into the system. Functions that could make this possible are listed in the âSuspiciousâ category. If both categories occur together in a macro, the probability that it is a virus is quite high. Therefore the Oletools plugin reports a detected macro virus in the Rspamd.
Rspamd symbol e.g.: OLETOOLS(20.00){AutoExec + Suspicious (autoopen,ShowWindow,CreateObject,Windows);}
- advanced categorization
Oletools knows in its report still further categories such as IOC, VBA strings, hex strings, which can also indicate undesired behavior. In addition, the oletools report provides the names of the functions from the Autoexec and Supicious category. In extended mode the administrator is now able to link categories and single functions with the board means of the Rspamd and to process them further, so that a fine-granular filtering is possible. It is important to note here that according to Rspamd logic the categories and each reported function is a single virus. In the example below, this means 4 viruses. The admin must process this in extended mode.
Just for your information, we are testing a fork of oletools
see for reference https://github.com/HeinleinSupport/olefy#oletools
You have to add in rspamd configuration : /etc/rspamd/local.d/external_services.conf
extended = true;
then restart rspamd
4 Likes
@stephdl
your are great!
This time I am just the tester, big hug to @davidep
2 Likes
Hi!
I updated my NS.
I read this post
https://github.com/NethServer/dev/issues/6321
But message is not blocked.
my rspamd conf
/etc/rspamd/local.d/external_services.conf
extended = true;
I test from
https://www.heise.de/security/dienste/emailcheck/attachments/test_doc_macro/
The message is delivered.
How to check my config?
Maybe something wrong?
Sorry my EnglishâŠ
Configuration files shouldnât be modified the by hand.
That shouldnât happen, unless Rspamd has a stale verdict in its cache for Heiseâs test attachment.
To flush the oletools verdicts cache run the following command
redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -- redis-cli -s /var/run/redis-rspamd/rspamd DEL
To check how much seconds before a cache entry is being expunged from the cache (first match only)
redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -L 1 -- redis-cli -s /var/run/redis-rspamd/rspamd TTL
1 Like