Improve URI_HIDDEN_PATH based on corpus testing

author Steve Freegard <steve@stevefreegard.com>

Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)

committer Steve Freegard <steve@stevefreegard.com>

Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)
author Steve Freegard <steve@stevefreegard.com>
Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)
committer Steve Freegard <steve@stevefreegard.com>
Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua

index f6427a7cd9a415d5a7831d9e6bd40dedfd90cf8b..37fef0dd787ab409ace1436376ab34dbe54127f2 100644 (file)
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -138,12 +138,24 @@ reconf['HIDDEN_SOURCE_OBJ'] = {
    group = "compromised_hosts"
  }
  
-reconf['URI_HIDDEN_PATH'] = {
-  re = "/\\/\\..+/U",
-  description = "URL contains a UNIX hidden file/directory",
+rspamd_config.URI_HIDDEN_PATH = {
+  callback = function (task)
+    local urls = task:get_urls(false)
+    if (urls) then
+        for _, url in ipairs(urls) do
+            if (not (url:is_subject() and url:is_html_displayed())) then
+                local path = url:get_path()
+                if (hidden_uri_re:match(path)) then
+                    -- TODO: need url:is_schemeless() to improve this
+                    return true, 1.0, url:get_text()
+                end
+            end
+        end
+    end
+  end,
+  description = 'Message contains URI with a hidden path',
    score = 1.0,
-  one_shot = true,
-  group = "compromised_hosts"
+  group = 'compromised_hosts',
  }
  
  reconf['MID_RHS_WWW'] = {
author	Steve Freegard <steve@stevefreegard.com>
	Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)
committer	Steve Freegard <steve@stevefreegard.com>
	Mon, 19 Mar 2018 11:58:45 +0000 (11:58 +0000)