[Minor] Add HAS_FILE_URL rule for messages containing a file:// URL

These are frequently abused for distributing malware via non-HTTP
protocols, such as public Samba servers. file:// URLs may also be abused
for including files from the victims' machine in a message. Either way,
a legitimate usecase is unlikely.

Signed-off-by: twesterhever <40121680+twesterhever@users.noreply.github.com>

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 0624997aae4c060e04e74cafe4ab68579cdae0c7..5f6a49437ed12f1ca65b1f1d4231656984d3c10e 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -938,6 +938,13 @@ reconf['HAS_GOOGLE_FIREBASE_URL'] = {
   group = 'url'
 }
 
+reconf['HAS_FILE_URL'] = {
+  re = '/^file:\\/\\//{url}i',
+  description = 'Contains file:// URL',
+  score = 2.0,
+  group = 'url'
+}
+
 reconf['XM_UA_NO_VERSION'] = {
   re = string.format('(!%s && !%s) && (%s || %s)',
       'X-Mailer=/https?:/H',