From 5a12f23f9004cba869c13ecf2974ff9f74a7908c Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 20 Nov 2015 13:52:20 +0000
Subject: [PATCH] Add R_SUSPICIOUS_URL rule that detects obfusicated URL's

---
 rules/misc.lua | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/rules/misc.lua b/rules/misc.lua
index cbcdff0fc..f423d014e 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -90,3 +90,22 @@ rspamd_config.DATE_IN_PAST = function(task)
 
 	return false
 end
+
+rspamd_config.R_SUSPICIOUS_URL = {
+  callback = function(task)
+    local urls = task:get_urls()
+
+    if urls then
+      for i,u in ipairs(urls) do
+        if u:is_obscured() then
+          return true
+        end
+      end
+    end
+    return false
+  end,
+  score = 6.0,
+  group = 'url',
+  one_shot = true,
+  description = 'Obfusicated or suspicious URL has been found in a message'
+}
-- 
2.39.5