Mailcow-dockerized: Question : DOC files rejected by rspamd and sieve filter

Looking at my spam folder, most of the nefarious stuff seems to be coming as .doc, while most good attachments nowadays are .docx files.

.doc files can contain macros, while .docx files cannot. .docm is the macro-enabled version of the new format. It‘s a bit inconsistent though: if we block doc, we should also block xls and ppt. We should also put the same score on pptm, xlsm and docm.

Yes, doc are dangerous and have been used quite a lot in the past for malicious mail.

I agree we should add ppt and xls.

same issue here. Blocking .doc gives too many false positives.

doc are dangerous and have been used quite a lot in the past for malicious mail.

Also wsf (Windows Script File) and hta (HTML Application) should be added. This config seems to handle more filetypes in general.

But I can see that the rule regarding office documents will be a no-go for people who are sending office documents on a regular base.
Is there an _easy_ way to change or override this?

Create a PR with a score higher than 2, please.

Don't blindly copy all extensions. Try to explain what you did.

Ok?

I don't think penalizing doc attachment was a good idea. Is there still many people that sending doc via mail for their job. Regular and rightful documents. I don't think we must limitate users to send only some type of documents, nor we must educate them to information technology. We only must receive and delivery mail as well as possible. And possibly professionally. And sieve response like "Why would you do that? I am a sad cow." is not. It can be a nice joke for someone, but can hurt many others, especially if they had an urgent need to send a document and it come back rejected.
We must simplify users' lives, not complicate them. Also because then the users call us, system administrators: "I can't send mail! It was very important!", And I don't have time to explane to them mime-types, macros, etc. Imho, of course.
Next, maybe can be better only check attachments for viruses, and test if they contains macros (even if some doc with macros can be absolutely legal)? Maybe rspamd oletools can do that. It will be a more elegant solution than simply reject files with doc mime-type.

Well, sending files directly by mail isn't a good idea at all (imho) and, even more important, .doc-files are widely used to send harmful stuff. Yes, the error message could possibly be enhanced, but to block such possibly malicious files is a good approach. Maybe there's a chance to implement a switch within the Mailcow UI to explicitly allow sending and receiving possibly harmful files, but for the masses, it's a good idea to prevent this.

Your thinking is dangerous, tkorves. Since many pirate programs are carried with torrents, we must close all torrents. It's not the right way (always imho).
Rather, if we can, we could only block docs that contain macros.

The sad cow is a template. A template.

Go participate, create PRs, don't just take. Give something back. Enhance mailcow, change language strings you don't like. We don't work anyones profit.

No, it's not dangerous at all - it's just an easy way to secure people with less IT-specific knowledge a little bit - and those people are mostly hit by macros carried along with e.g. .doc files - those people mostly don't know of the pure existence of torrent files nor do they know what to do with it. Your comparison lacks knowledge - harmful vs illegal ...

You can simply remove the .doc from blocked extensions, if you don't like it. If you don't want to maintain mailcow on your own, buy support. It is as easy as that.

doc is dangerous. It has been used a lot for malicious code. Scammers are not stupid, they test their macros against ClamAV signatures and oletools. It is dangerous. I stand by blocking .doc. If you don't like it, remove it. It is a single line.

Are macros inside .doc documents run automatically without any warning on recent systems? (Windows 10 + Office 365/2016/2019)

additionally, it's not only Clamd to scan files but also Windows 10 antivirus checking for viruses. I can't tell if .doc are a real threat. What I have seen are multiple false positives, so that check is removed on my systems.

I can confirm that most .doc files sent are more a threat than a false positive. One of our clients recently was hit by malware which was residing in a Word macro - the eMail told the employee, that Word will ask to run macros within this send file - and the employee did, what the sender told.

So to recap: Yes, Word (and other office applications) are warning about macros - but there's this "social engineering factor", which shouldn't be underestimated at all. And just a small sidenote: Windows defender was updated to the latest version but was not warning about anything ... ;-)

so to recap, even if clamd + local windows antivirus don't spot it, macros are already disabled. And a warning pop-ups. Then I guess you need some privileged access (administrator) to manually allow those to run.

Of course, there's "social engineering" but that's beyond my scope as a postmaster. I can't prevent my users from following the _Albanian Virus_ instructions.

Having seen multiple false positives I will keep that check disabled on my servers.

Maybe giving a small malus score is a better choice, plain blocking could be too risky. But that's just my 2 cents

last question. What's the general consensus among the largest email provider? Gmail, Hotmail, yahoo accept or plain block .doc attachments?

Why should mailcow follow any consens made up by anyone outside the mailcow dev-team?! Mailcow is an independent product with independent devs - and that's why it's blocked by default. No further explanation is needed. Mailcow does not follow anything else than RFCs and the devs own ideas and thoughts.

I dont't want to force anyone to use that template. It is perfectly fine and will not break anything, if you decide to remove it. :)

I have seen it quite often lately. Let's keep it blocked by default, please.

Join the Telegram channel for this kind of argument, please. :)

Then I guess you need some privileged access (administrator) to manually allow those to run.

No, it's actually just one or two clicks.

Therefore, as long as we can't distinguish files with macros from files without macros, the safest thing to do is to block doc, docm, xls, xlsm, ppt, pptm.

Feel free to unlock, @mkuron, if you think, it should be discussed.

We could try this and unconditionally block all macros: https://rspamd.com/doc/modules/external_services.html#oletools-extended-mode.
Then we can allow doc files again without worrying.

That's a good idea.