New rules

diff --git a/rules/headers_checks.lua b/rules/headers_checks.lua
index 1ff27ce2f900d0ada3f87121080fea60864b1d1e..02b177c376d59c49ce5cee944c6ab3d2fe0593e9 100644 (file)
--- a/rules/headers_checks.lua
+++ b/rules/headers_checks.lua
@@ -901,3 +901,20 @@ rspamd_config.CTYPE_MISSING_DISPOSITION = {
   score = 4.0,
   group = 'header'
 }
+
+rspamd_config.CTYPE_MIXED_BOGUS = {
+  callback = function(task)
+    local ct = task:get_header('Content-Type')
+    if (not ct) then return false end
+    local parts = task:get_parts()
+    if (not parts) then return false end
+    if (ct:lower():match('^multipart/mixed') ~= nil and #parts < 3)
+    then
+      return true, tostring(#parts)
+    end
+    return false
+  end,
+  description = 'multipart/mixed with less than 3 total parts',
+  score = 2.0,
+  group = 'headers'
+}

diff --git a/rules/html.lua b/rules/html.lua
index 142cb293c6e22c44be769cb1623edee12e420bae..2c28e85d8bd023c7e3c379604134ceed42a59cd3 100644 (file)
--- a/rules/html.lua
+++ b/rules/html.lua
@@ -263,4 +263,72 @@ rspamd_config.EXT_CSS = {
   score = 1.0,
   group = 'html',
   description = 'Message contains external CSS reference'
-}
\ No newline at end of file
+}
+
+rspamd_config.HTTP_TO_HTTPS = {
+  callback = function(task)
+    local tp = task:get_text_parts()
+    if (not tp) then return false end
+    for _,p in ipairs(tp) do
+      if p:is_html() then
+        local hc = p:get_html()
+        local found = false
+        hc:foreach_tag('a', function (tag, length)
+          -- Skip this loop if we already have a match
+          if (found) then return true end
+          local c = tag:get_content()
+          if (c) then
+            c = tostring(c):lower()
+            if (not c:match('^http')) then return false end
+            local u = tag:get_extra()
+            if (not u) then return false end
+            u = tostring(u):lower()
+            if (not u:match('^http')) then return false end
+            if ((c:match('^http:') and u:match('^https:')) or
+                (c:match('^https:') and u:match('^http:')))
+            then
+              found = true
+              return true
+            end
+          end
+          return false
+        end)
+        if (found) then return true end
+        return false
+      end
+    end
+    return false
+  end,
+  description = 'Anchor text contains different scheme to target URL',
+  score = 2.0,
+  group = 'html'
+}
+
+rspamd_config.HTTP_TO_IP = {
+  callback = function(task)
+    local tp = task:get_text_parts()
+    if (not tp) then return false end
+    for _,p in ipairs(tp) do
+      if p:is_html() then
+        local hc = p:get_html()
+        local found = false
+        hc:foreach_tag('a', function (tag, length)
+          if (found) then return true end
+          local u = tag:get_extra()
+          if (u) then
+            u = tostring(u):lower()
+            if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then
+              found = true
+            end
+          end
+          return false
+        end)
+        if found then return true end
+        return false
+      end
+    end
+  end,
+  description = 'Anchor points to an IP address',
+  score = 1.0,
+  group = 'html'
+}

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index af63d7131ad6231e0fed6cfddb596f4bf1f5b489..68e540aee8914499850cfa01195989aa2aa1545e 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -905,3 +905,14 @@ reconf['HAS_XOIP'] = {
   score = 0.0,
   group = 'headers'
 }
+
+reconf['MIME_BASE64_TEXT'] = {
+  re = string.format('(%s && %s) || (%s && %s)',
+                     'Content-Type=/^text/Hi',
+                     'Content-Transfer-Encoding=/^base64/Hi',
+                     'Content-Type=/^text/Bi',
+                     'Content-Transfer-Encoding=/^base64/Bi'),
+  description = 'Message text disguised using base64 encoding',
+  score = 0.0,
+  group = 'headers'
+}