Sandbox (YARA Analysis)¶
The Sandbox analyses attachments and URLs in inbound mails for malware and phishing indicators.
Processing Flow¶
- Inbound mail arrives on port 25 (queue ID 1)
- rspamd milter scan with no hard reject
- Mail is forwarded to the sandbox enqueue service (port 10025)
- nmg-sandbox extracts attachments and URLs and analyses them
- Result is written to the database, rspamd score adjusted
- Mail is reinjected (port 10026, queue ID 2) and either delivered normally or moved to quarantine
Job Table¶
The sandbox page shows all past jobs with status and result:
| Column | Description |
|---|---|
| Time | Job start timestamp |
| Queue ID | Postfix queue ID of the analysed mail |
| Sender / Subject | Mail metadata |
| State | pending / running / done / failed / cancelled |
| Verdict | clean / suspicious / virus / error |
| Threat Score | 0–100 (0 = clean, 100 = highly malicious) |
| Duration | Analysis runtime (green <2 s, orange <10 s, red ≥10 s) |
| Node | Cluster node |
The Report button opens the full analysis result (only visible for completed jobs).
Sandbox Report in Detail¶
The sandbox report is the most comprehensive single analysis view in nmg. It shows all results from the analysis pipeline:
Threat Score & Verdict¶
- Threat Score: 0–100 — aggregated risk score from all analyser stages
- Verdict:
clean,suspicious,virus - Confidence: How certain the verdict is
- Verdict Reasons: List of the key detection reasons as tags
Email Metadata¶
Sender (envelope-from and header-from), recipient, subject, message ID, timestamps.
Authentication¶
SPF, DKIM, and DMARC results are shown as colour-coded tags: - pass = green - fail / none = red - softfail / neutral = yellow
Sender Reputation¶
| Field | Description |
|---|---|
| Sender IP | IP address of the delivering server |
| Country | Origin country of the IP |
| ASN | Autonomous System Number |
| rDNS | Reverse DNS hostname |
| Reputation Score | Historical reputation score of the sender |
MIME Structure¶
| Field | Description |
|---|---|
| MIME Parts | Number of MIME parts (text parts + attachments) |
| MIME Depth | Maximum nesting depth |
| Received Hops | Number of relay hops in the Received headers |
| Received Chain | Expandable: full hop list with from/by/with/timestamp |
Detection Indicators¶
| Indicator | Description |
|---|---|
| Encoding Anomalies | Unusual character encodings (base64-obfuscated scripts, etc.) |
| Homoglyph Attack | Use of visually similar characters for deception |
| Urgency Score | Language-based score for threats/time pressure |
| Impersonation Score | Hints of identity spoofing |
| Brand Spoofing | Detected brands being impersonated (e.g. Microsoft, DHL) |
| Social Engineering Indicators | Language patterns typical of social engineering attacks |
YARA Hits¶
- Files Scanned: Number of files checked against YARA rules
- Total Hits: Sum of all rule matches
- Top Rules: The most frequently triggering rules as tags
MITRE ATT&CK Mapping¶
When YARA rules or other analysers include MITRE tags, tactic and technique are shown as tiles (e.g. Initial Access → Spearphishing Attachment T1566.001).
IOC Summary¶
Extracted Indicators of Compromise:
| IOC Type | Example |
|---|---|
| IPs | External IPs from URLs and headers |
| Domains | Domains from URLs |
| URLs | Full URLs with redirect chain |
| Hashes | SHA256 hashes of attachments |
Attachments¶
Per attachment:
| Field | Description |
|---|---|
| Filename | Original filename |
| MIME Type | Detected MIME type |
| Size | File size |
| SHA256 | Hash of the attachment content |
| YARA Hits | Number of YARA rule matches for this attachment |
| VirusTotal | VT detection rate (if API key configured) |
URLs¶
Per URL:
| Field | Description |
|---|---|
| URL | Original URL from the mail body |
| Redirect Chain | Resolved redirect chain |
| End URL | Final destination URL |
| Phishing Feed Hit | Which feed lists the URL |
HTML Attachment Detection¶
HTML attachments (.html, .htm) are treated as a standalone phishing indicator (symbol NMG_HTML_ATTACHMENT). They are frequently used for phishing forms that work in a browser without server infrastructure.
Sandbox Allow-List¶
Senders to be exempted from sandbox analysis are managed under Sandbox → Sandbox Allow-List. Wildcards and domain entries are supported.
YARA Rules¶
How YARA works in nmg¶
The sandbox scans the raw MIME blob of the mail — the complete RFC 2822 message exactly as received by Postfix, including all headers. Attachments within the blob are base64-encoded. This affects which patterns can be reliably detected:
| Content | In the MIME blob | YARA-matchable |
|---|---|---|
Email headers (Content-Disposition, etc.) |
Plain text | ✓ always |
| HTML body, text body | Plain text | ✓ always |
Binary magic as base64 (0M8R4KGxGuE = OLE2) |
deterministically encoded | ✓ |
| Binary content inside attachments (Office streams, etc.) | base64-encoded | ✗ |
A YARA hit sets the threat score to at least 50 and the verdict to at least suspicious.
Managed rules (nmg-managed)¶
nmg ships three rule files that are automatically kept up to date on every package update. Files under /var/lib/nmg/yara-rules/nmg-*.yar are nmg-managed and will be overwritten on upgrade.
nmg-default.yar — Baseline rules¶
| Rule | Detection | Score |
|---|---|---|
EICAR_AV_TEST_FILE |
EICAR test virus | 10 |
MAIL_PE_Executable |
PE executable (EXE/DLL) in attachment | 5 |
MAIL_Office_With_Macros |
OOXML ZIP + vbaProject.bin |
3 |
MAIL_PDF_With_JS |
PDF with embedded JavaScript | 3 |
MAIL_DoubleExtension_Trick |
Double file extension (e.g. invoice.pdf.exe) |
4 |
MAIL_Powershell_EncodedCommand |
PowerShell -EncodedCommand / IEX cradle |
6 |
MAIL_HTML_Smuggling |
HTML smuggling — atob() + new Blob() |
6 |
nmg-office-macros.yar — Office macro detection¶
| Rule | Detection | Score |
|---|---|---|
MAIL_OOXML_MacroEnabled_Filename |
Attachment filename .xlsm / .docm / .pptm / .xlsb etc. |
7 |
MAIL_Office_Legacy_Filename |
Attachment filename .doc / .xls / .ppt (OLE2 format) |
3 |
MAIL_OLE2_Attachment_Base64 |
OLE2 magic D0CF11E0 as base64 (0M8R4KGxGuE) in MIME |
3 |
MAIL_OLE2_With_Macro_Filename |
OLE2 base64 + suspicious filename combined | 8 |
MAIL_VBA_AutoExec_ShellAPI |
VBA auto-execute trigger + shell/download API in plaintext | 9 |
MAIL_VBA_Chr_Obfuscation |
VBA Chr() chains for string obfuscation |
6 |
nmg-js-droppers.yar — Script dropper detection¶
| Rule | Detection | Score |
|---|---|---|
MAIL_Script_Dangerous_Extension |
Attachment .js / .vbs / .hta / .wsf / .ps1 / .jse etc. |
8 |
MAIL_JS_WSH_DownloadExecute |
ActiveXObject + XMLHTTP/download + .Run/.Exec |
9 |
MAIL_JS_PowerShell_Spawn |
WScript.Shell + powershell + -ExecutionPolicy Bypass etc. |
9 |
MAIL_VBS_ShellDropper |
VBScript CreateObject + .Run + download/cmd |
9 |
MAIL_JS_Eval_Obfuscation |
eval(unescape(...)) / String.fromCharCode combined |
6 |
MAIL_HTA_Dropper |
HTA:APPLICATION + ActiveXObject + .Run |
8 |
MAIL_BAT_EnvVar_Obfuscation |
Batch %var:~x,y% substring obfuscation |
6 |
Score field in YARA meta
The score field in YARA rule metadata is for documentation only. The sandbox does not evaluate it — every hit, regardless of the score value, sets the threat score to at least 50.
External rule updates (freshyara)¶
The nmg-freshyara timer pulls rules daily from configured sources (e.g. signature-base) and recompiles all .yar files in /var/lib/nmg/yara-rules/ into a single compiled.yar. The update interval is configurable in Mail Configuration → YARA.
Adding custom rules¶
Custom rules are placed as .yar files under /var/lib/nmg/yara-rules/. Files that do not start with nmg- are not touched by updates.
# Create a custom rule
sudo -u nmg nano /var/lib/nmg/yara-rules/my-custom.yar
# Recompile without waiting for the nightly timer
sudo -u nmg /usr/share/nmg/yara-base/compile.sh
Syntax check
compile.sh aborts on syntax errors. The previously compiled compiled.yar remains unchanged — running scans are not affected.
VirusTotal Integration¶
With an API key configured in Mail Configuration, SHA256 hashes of attachments are looked up against VirusTotal. The result appears in the sandbox report for each attachment.