what is olefy

uniquegch

I am not sure what olefy is. seems it has something to do with rspamd?

accolon

olefy makes it possible to use oletools with rspamd. oletools are mainly used to analyze Microsoft Office files.

uniquegch

Hello accolon, thanks for your reply and quick description. That applies for office files being an attachment coming in or send out? Would that also apply for “office” files generated with OpenOffice, Libreoffice?
At this point I do not see the need for my setup (personally). please correct me if I am wrong. Always happy to learn something new (even for an old dog like me).

accolon

Since oletools specifically targets the MS OLE2 file format, I suppose it’s for macros in MS Office only.

In mailcow, it’s configured in extended mode, see also the rspamd docs.

However, mailcow only seems to use oletools to detect the presence of macros in office documents, not using the separate flags returned.

As you can see here, only inbound and unauthenticated (i.e. externally sent) mails are scored:
composites.conf, line 29 ff.

I’m not sure if I ever received an email with an MS Office document containing macros either, but it’s probably not worth the time messing around with this feature since it’s already there and working fine.

esackbauer

Its not only for macros but also - and that is important! - for embedded files in office documents. OLE means “object linking and embedding”. So a malicious picture, URL or PDF embedded in an office document. That means mails in .eml format as well.

I don’t get why people choose mailcow, and then want switch off things they think they don’t use or need. There are more lean mailserver stacks if you want to achieve that.
Deactivating olefy might break mailcow, maybe not immediately, but sure enough during an upgrade.

accolon

esackbauer Its not only for macros but also - and that is important! - for embedded files in office documents. OLE means “object linking and embedding”. So a malicious picture, URL or PDF embedded in an office document.

You’re right, I didn’t differentiate clearly enough between the possibilities of oletools and the way rspamd uses it, as described here:
https://rspamd.com/doc/modules/external_services.html#oletools-specific-details

For the default mode, it says:
“Oletools is an excellent Python module for scanning and analyzing office documents containing macros. Macro-viruses typically use an auto-exec function to load when the document is opened, as well as functions for executing code in a shell or saving files to the system. Oletools classifies harmful functions as either AutoExec or Suspicious. In the default mode, the Oletools module sets the result when at least one AutoExec and one Suspicious function are used.”

And for extended mode (used by mailcow):
“In extended mode, the oletools module does not trigger on specific categories but always sets a threat string with all the found flags whenever a macro is detected.”

The flags all seem to be macro-related.

So if I see this correctly, rspamd (and therefore mailcow) uses oletools via olefy only to look for macros.

uniquegch

Hello accolon, thanks for your posts. that is good information helping me understading this topic better.

stefan21

What about whitelisted email-addresses / domains? Are they scanned also by olefy?

stefan21

Sorry to push this up (again):

https://docs.mailcow.email/de/manual-guides/mailcow-UI/u_e-mailcow_ui-bl_wl/

Following o.m. there’s nothing said about olefy (or clamav). In my understanding the whitelisting of emails / domains prevent those from being tagged as spam.

But - will olefy still scan, what IMVHO, should still happen?

Anybody?

esackbauer

stefan21 Anybody?

Anybody looking at the olefy container logs? 😉
I can see that every mail that has an office attachment gets scanned - be it inbound or outbound. Despite being whitelisted.
Just test it yourself.

stefan21

Fair enough - it’s always helpful checking the logs. As we don’t receive much office data, it was more a question out of theoretical interest.

Anyway - assuming I’d like to block any office or pdf file containing a macro, how/where could this be done?

stefan21

Sorry, I have to push this one up (again). Mailcow is running up-to-date with Version 2024-04.

I did a self-test by sending me an email with an ms office document (*.docm) including a macro attached.

The sender is a sogo-contact. As IMVHO a sysadmin is not able to control contacts from all users, therefore I changed in rspamd –> rspamd –> Symbols –> SOGO_CONTACT –> Score ‘0.000’.

Checking this specific email in the rspamd-gui brings up:

SOGO_CONTACT (-99)
OLEFY_MACRO (20)

And from the cli while checking the logs:

olefy-mailcow-1 | olefy INFO eof_received <ef5664> 18679 bytes (stream size)
olefy-mailcow-1 | olefy INFO oletools <ef5664> application/x-decompression-error-gzip- (libmagic output)
olefy-mailcow-1 | olefy INFO eof_received <ef5664> (‘172.22.1.5’, 45028) response send: b’[ { “script_name”: “olevba”, “version”: “0.60.2dev1”, “python_version”: [ 3, 11, 6 ], “url”: “http://decalage.info/python/oletools”, “type”: “MetaInformation” }, { “container”: null, “file”: “/tmp/1712402330.4334922.45028.ef5664”, “json_conversion_successful”: true, “analysis”: [], “code_deobfuscated”: null, “do_deobfuscate”: false, “show_pcode”: false, “type”: “OpenXML”, “macros”: [ { “vba_filename”: “ThisDocument.cls”, “subfilename”: “word/vbaProject.bin”, “ole_stream”: “VBA/ThisDocument”, “code”: null } ] }]\t\n\n\t’
rspamd-mailcow-1 | 2024-04-06 13:18:51 #76(normal) <ef5664>; task; rspamd_task_write_log: id: bb690c183e994a9a93dbf64cc3543b51@zxy.de, qid: <32DAC141513>, ip: 145.253.228.164, from: xx.yy@zxy.de, (default: F (no action): [-81.52/9.00] [SOGO_CONTACT(-99.00){},OLEFY_MACRO(20.00){},DWL_DNSWL_LOW(-1.00){zxy.de:dkim;},DMARC_POLICY_ALLOW(-0.50){zxy.de;none;},IP_REPUTATION_HAM(-0.41){asn: 3209(-0.40), country: DE(-0.01), ip: 145.253.228.164(0.00);},R_DKIM_ALLOW(-0.20){zxy.de:s=vfde-mb-mr2-23sep;},R_SPF_ALLOW(-0.20){+ip4:145.253.228.160/29:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},RCVD_IN_DNSWL_LOW(-0.10){145.253.228.164:from;},MX_GOOD(-0.01){},BAYES_HAM(-0.00){40.73%;},ARC_NA(0.00){},ARC_SIGNED(0.00){efg.de:s=dkim:i=1;},ASN(0.00){asn:3209, ipnet:145.253.0.0/16, country😃E;},BCC(0.00){},DKIM_TRACE(0.00){zxy.de:+;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_PRIO_THREE(0.00){3;},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},MISSING_XM_UA(0.00){},OLETOOLS(0.00){—–M–;},PREVIOUSLY_DELIVERED(0.00){aa.bb@efg.de;},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){efg.de;},RCVD_COUNT_THREE(0.00){3;},RCVD_TLS_LAST(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 27703, time: 4695.957ms, dns req: 38, digest: <3b32c09c13a85617ae08f01bf74a96f1>, rcpts: aa.bb@efg.de, mime_rcpts: aa.bb@efg.de
rspamd-mailcow-1 | 2024-04-06 13:18:51 #76(normal) <ef5664>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 3463 regexps total, 3193 regexps cached, 0B scanned using pcre, 2.04KiB scanned total

Obviously the macro is detected and scored with “20”. That’s perfectly o.k. Not o.k. is the the “-99” score to the sender treated as a so-called trusted sogo contact while I changed this scoring to “0”.

Perfect would be to detach the attachment (any attachment with macros) from the email with a hint for the receiver. How can this be configured?

What’s wrong in here?
Anyone?

esackbauer

stefan21 Obviously the macro is detected and scored with “20”. That’s perfectly o.k. Not o.k. is the the “-99” score to the sender treated as a so-called trusted sogo contact while I changed this scoring to “0”.

Seems your setting gets overruled. But does that really matter? From the headers you can filter for the OLEFY_MACRO

stefan21 Perfect would be to detach the attachment (any attachment with macros) from the email with a hint for the receiver. How can this be configured?

I guess this can be done with some Sieve scripting.

stefan21

esackbauer Seems your setting gets overruled.

Uhmm, the way I understand symbols in rspamd, while altering the scoring, this should work in any way. So I think this could be a bug? Don’t you think so?

And yes, of course it’s possible to filter the headers.

I’ll have a closer look at sieve filtering and let know about.

stefan21

To the first part of my question:

As I already stated, I’m paranoid when it comes to trusted email (in a domain) from user contacts. Therefore I want to downscale the symbole scoring of sogo_contacts. Just entering a new score in the gui of rspamd didn’t work for me.

What works is changing a setting in data/conf/rspamd/local.d/groups.conf, and in data/conf/rspamd/dynmaps/settings.php. In my case I changed the score from -99 to -0.1

After restarting rspamd and sending again my test email, I found out it didn’t work. In the history of rspamd still a SOGO_CONTACT (-99). Not what I had expected.

I checked the system –> settings –> active rspamd settings map. The scoring was changed to -0.1. No clue why the email still was scored with -99. So I decided to create and add a custom rule under the active settings map using the gui. Named it to SOGO CONTACTS DOWNSCALING. The content is:

settings {
whitelist_sogo_“userdomain-from-the-rspamd-rules” {
apply “default” {
SOGO_CONTACT = -1.0;
}
symbols [
“SOGO_CONTACT”
]
}
}

restarted the rspamd container, and guess what: this one worked. Now the email was rejected because the scoring of OLEFY_MACRO (20) and SOGO_CONTACT (-1).

Not quite sure if the altering of the two files (besides creating a custom rule) is really necessary, would be nice if someone can look into this and know more about.

Even more interesting what would be a custom rule to generally downscale the sogo contacts. I don’t want to set up custom rules for every single user.

Anybody?

stefan21

stefan21 What works is changing a setting in data/conf/rspamd/local.d/groups.conf, and in data/conf/rspamd/dynmaps/settings.php. In my case I changed the score from -99 to -0.1

This is not necessary. Adding a custom rule like described above will do it.

stefan21

deleted -

stefan21

I am not happy with the o.a. approach:

settings {
whitelist_sogo_“userdomain-from-the-rspamd-rules” {
apply “default” {
SOGO_CONTACT = -1.0;
}
symbols [
“SOGO_CONTACT”
]
}
}

To the experts: how/where can the default SOGO contact whitelisting (or symbol scoring) being disabled or changed?

Trusting emails with -99 score just in case these are messages form a user/SOGO contact in an organization is quite naiv. In fact it’s dangerous. So I strongly recommend to at least control (disable/enable/edit symbol score) this feature.

Any hints are greatly welcome and appreciated.

stefan21

I think I had a misconfiguration/misunderstanding while adding a custom rule. This one seems to work globally:

“DOWNSCALE SOGO CONTACTS” as name f.e.

symbols {
“SOGO_CONTACT” {
weight = -1.0;
}
}

The test email with the attached worddoc including a macro was rejected. The receiver with the sogo contact won’t get the email. If there’s a catchall account for the domain configured, this account will receive the mail. The sender will get a rejection message telling, that the email did not match the requirements.

At this point I’ll let it go. Maybe it helps someone.