From 7f5ca7ae3db6da0939e42ae88db375aa9b63fe76 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 15 May 2018 12:34:30 +0100
Subject: [PATCH] [Feature] Add rule to block mixed text and encrypted parts

---
 rules/misc.lua | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)

diff --git a/rules/misc.lua b/rules/misc.lua
index 62fa7f92a..c70e90bbc 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -639,3 +639,100 @@ rspamd_config.R_BAD_CTE_7BIT = {
   description = 'Detects bad content-transfer-encoding for text parts',
   group = 'headers'
 }
+
+
+local check_encrypted_name = rspamd_config:register_symbol{
+  name = 'BOGUS_ENCRYPTED_AND_TEXT',
+  callback = function(task)
+    local parts = task:get_parts() or {}
+    local seen_encrypted, seen_text
+    local opts = {}
+
+    local function check_part(part)
+      if part:is_multipart() then
+        local children = part:get_children() or {}
+
+        for _,cld in ipairs(children) do
+          if cld:is_multipart() then
+            check_part(cld)
+          elseif cld:is_text() then
+            seen_text = true
+          else
+            local type,subtype,attrs = cld:get_type_full()
+
+            if type:lower() == 'application' then
+              if string.find(subtype:lower(), 'pkcs7%-mime') then
+                -- S/MIME encrypted part
+                seen_encrypted = true
+                table.insert(opts, 'smime part')
+                task:insert_result('ENCRYPTED_SMIME', 1.0)
+              elseif string.find(subtype:lower(), 'pkcs7%-signature') then
+                task:insert_result('SIGNED_SMIME', 1.0)
+              elseif string.find(subtype:lower(), 'pgp%-encrypted') then
+                -- PGP/GnuPG encrypted part
+                seen_encrypted = true
+                table.insert(opts, 'pgp part')
+                task:insert_result('ENCRYPTED_PGP', 1.0)
+              elseif string.find(subtype:lower(), 'pgp%-signature') then
+                task:insert_result('SIGNED_PGP', 1.0)
+              end
+            end
+          end
+        end
+      end
+    end
+
+    for _,part in ipairs(parts) do
+      check_part(part)
+    end
+
+    if seen_text and seen_encrypted then
+      return true, 1.0, opts
+    end
+
+    return false
+  end,
+  score = 10.0,
+  description = 'Bogus mix of encrypted and text/html payloads',
+  group = 'mime_types'
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_encrypted_name,
+  name = 'ENCRYPTED_PGP',
+  description = 'Message is encrypted with pgp',
+  group = 'mime_types',
+  score = -0.5,
+  one_shot = true
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_encrypted_name,
+  name = 'ENCRYPTED_SMIME',
+  description = 'Message is encrypted with smime',
+  group = 'mime_types',
+  score = -0.5,
+  one_shot = true
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_encrypted_name,
+  name = 'SIGNED_PGP',
+  description = 'Message is signed with pgp',
+  group = 'mime_types',
+  score = -2.0,
+  one_shot = true
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_encrypted_name,
+  name = 'SIGNED_SMIME',
+  description = 'Message is signed with smime',
+  group = 'mime_types',
+  score = -2.0,
+  one_shot = true
+}
\ No newline at end of file
-- 
2.39.5