Add R_SUSPICIOUS_URL rule that detects obfusicated URL's

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)
diff --git a/rules/misc.lua b/rules/misc.lua

index cbcdff0fce590d2790e6fd0eed91831488399a58..f423d014e970ec91593d7077f3d0c003f6d72990 100644 (file)
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -90,3 +90,22 @@ rspamd_config.DATE_IN_PAST = function(task)
  
         return false
  end
+
+rspamd_config.R_SUSPICIOUS_URL = {
+  callback = function(task)
+    local urls = task:get_urls()
+
+    if urls then
+      for i,u in ipairs(urls) do
+        if u:is_obscured() then
+          return true
+        end
+      end
+    end
+    return false
+  end,
+  score = 6.0,
+  group = 'url',
+  one_shot = true,
+  description = 'Obfusicated or suspicious URL has been found in a message'
+}
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Fri, 20 Nov 2015 13:52:20 +0000 (13:52 +0000)