From 39aeb394c8dc6a4f05b2e6daf4c94dae1a6e4659 Mon Sep 17 00:00:00 2001
From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Sat, 15 Oct 2022 11:48:02 +0000
Subject: [PATCH] [Enhancement] Add IPFS URL heuristic

---
 rules/regexp/misc.lua | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index a5e5cfc44..c7876567f 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -99,4 +99,19 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = {
   group = 'scams'
 }
 
-rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
\ No newline at end of file
+rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
+
+-- Heurististic for detecting InterPlanetary File System (IPFS) gateway URLs:
+-- These contain "ipfs" somewhere (either in the FQDN or the URL path) and a
+-- content identifier (CID), comprising of either "qm", followed by 46 alphanumerical
+-- characters (CIDv0), or a CIDv1 of an alphanumerical string of unspecified length,
+-- depending on the hash algorithm used.
+local ipfs_cid = '/(qm[a-z0-9]{44}|[a-z0-9]{45,256})/{url}i'
+local ipfs_string = '/ipfs(\\.|-|_|\\/|\\?)/{url}i'
+reconf['HAS_IPFS_URL'] = {
+  description = 'Message contains InterPlanetary File System (IPFS) URL, likely malicious',
+  re = string.format('(%s & %s)', ipfs_cid, ipfs_string),
+  score = 6.0,
+  one_shot = true,
+  group = 'url',
+}
-- 
2.39.5