From: Steve Freegard Date: Tue, 11 Apr 2017 15:13:05 +0000 (+0100) Subject: New rules X-Git-Tag: 1.5.6~26^2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9aa169e092def662ec521adb6a07c04e46375fa0;p=rspamd.git New rules --- diff --git a/rules/headers_checks.lua b/rules/headers_checks.lua index 1ff27ce2f..02b177c37 100644 --- a/rules/headers_checks.lua +++ b/rules/headers_checks.lua @@ -901,3 +901,20 @@ rspamd_config.CTYPE_MISSING_DISPOSITION = { score = 4.0, group = 'header' } + +rspamd_config.CTYPE_MIXED_BOGUS = { + callback = function(task) + local ct = task:get_header('Content-Type') + if (not ct) then return false end + local parts = task:get_parts() + if (not parts) then return false end + if (ct:lower():match('^multipart/mixed') ~= nil and #parts < 3) + then + return true, tostring(#parts) + end + return false + end, + description = 'multipart/mixed with less than 3 total parts', + score = 2.0, + group = 'headers' +} diff --git a/rules/html.lua b/rules/html.lua index 142cb293c..2c28e85d8 100644 --- a/rules/html.lua +++ b/rules/html.lua @@ -263,4 +263,72 @@ rspamd_config.EXT_CSS = { score = 1.0, group = 'html', description = 'Message contains external CSS reference' -} \ No newline at end of file +} + +rspamd_config.HTTP_TO_HTTPS = { + callback = function(task) + local tp = task:get_text_parts() + if (not tp) then return false end + for _,p in ipairs(tp) do + if p:is_html() then + local hc = p:get_html() + local found = false + hc:foreach_tag('a', function (tag, length) + -- Skip this loop if we already have a match + if (found) then return true end + local c = tag:get_content() + if (c) then + c = tostring(c):lower() + if (not c:match('^http')) then return false end + local u = tag:get_extra() + if (not u) then return false end + u = tostring(u):lower() + if (not u:match('^http')) then return false end + if ((c:match('^http:') and u:match('^https:')) or + (c:match('^https:') and u:match('^http:'))) + then + found = true + return true + end + end + return false + end) + if (found) then return true end + return false + end + end + return false + end, + description = 'Anchor text contains different scheme to target URL', + score = 2.0, + group = 'html' +} + +rspamd_config.HTTP_TO_IP = { + callback = function(task) + local tp = task:get_text_parts() + if (not tp) then return false end + for _,p in ipairs(tp) do + if p:is_html() then + local hc = p:get_html() + local found = false + hc:foreach_tag('a', function (tag, length) + if (found) then return true end + local u = tag:get_extra() + if (u) then + u = tostring(u):lower() + if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then + found = true + end + end + return false + end) + if found then return true end + return false + end + end + end, + description = 'Anchor points to an IP address', + score = 1.0, + group = 'html' +} diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index af63d7131..68e540aee 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -905,3 +905,14 @@ reconf['HAS_XOIP'] = { score = 0.0, group = 'headers' } + +reconf['MIME_BASE64_TEXT'] = { + re = string.format('(%s && %s) || (%s && %s)', + 'Content-Type=/^text/Hi', + 'Content-Transfer-Encoding=/^base64/Hi', + 'Content-Type=/^text/Bi', + 'Content-Transfer-Encoding=/^base64/Bi'), + description = 'Message text disguised using base64 encoding', + score = 0.0, + group = 'headers' +}