From 59b8463ff07efba952baa3bd3ccb663e1f477c36 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 5 Mar 2021 17:13:45 +0000
Subject: [PATCH] [Minor] Try to find some obfuscation attemtps

Issue: #3637
---
 src/libserver/html.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/libserver/html.c b/src/libserver/html.c
index 401c55f31..974b59129 100644
--- a/src/libserver/html.c
+++ b/src/libserver/html.c
@@ -719,6 +719,7 @@ rspamd_html_url_is_phished (rspamd_mempool_t *pool,
 				p++;
 			}
 		}
+
 		text_url = rspamd_mempool_alloc0 (pool, sizeof (struct rspamd_url));
 		rc = rspamd_url_parse (text_url, url_str, strlen (url_str), pool,
 				RSPAMD_URL_PARSE_TEXT);
@@ -827,9 +828,28 @@ rspamd_html_url_is_phished (rspamd_mempool_t *pool,
 			*url_found = TRUE;
 		}
 		else {
-			msg_info_pool ("extract of url '%s' failed: %s",
+			/*
+			 * We have found something that looks like an url but it was
+			 * not parsed correctly.
+			 * Sometimes it means an obfuscation attempt, so we have to check
+			 * what's inside of the text
+			 */
+			gboolean obfuscation_found = FALSE;
+
+			if (g_ascii_strncasecmp (url_str, "http", 4) == 0 &&
+				strstr (url_str, "://") != NULL) {
+				/* Clearly an obfuscation attempt */
+				obfuscation_found = TRUE;
+			}
+
+			msg_info_pool ("extract of url '%s' failed: %s; obfuscation detected: %s",
 					url_str,
-					rspamd_url_strerror (rc));
+					rspamd_url_strerror (rc),
+					obfuscation_found ? "yes" : "no");
+
+			if (obfuscation_found) {
+				href_url->flags |= RSPAMD_URL_FLAG_PHISHED|RSPAMD_URL_FLAG_OBSCURED;
+			}
 		}
 	}
 
-- 
2.39.5