From 8a3eadfc9b740981241d95a0ee2ef2b57dd7fc9f Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rambler-co.ru>
Date: Sat, 19 Feb 2011 23:10:39 +0300
Subject: [PATCH] Reduce weight of NO_SPACE_IN_FROM. Change default pid file
 location. Change MISSING_TO rule not to work when header exists but empty.
 Add rules for bad bondaries and message ids.

Suggested by: Victor Ustugov.
---
 conf/lua/regexp/headers.lua | 34 +++++++++++++++++++++++++++++++++-
 rspamd.xml.sample           | 28 ++++++++++++++++++++++++++--
 2 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/conf/lua/regexp/headers.lua b/conf/lua/regexp/headers.lua
index 66dd912de..e68067d5b 100644
--- a/conf/lua/regexp/headers.lua
+++ b/conf/lua/regexp/headers.lua
@@ -30,7 +30,7 @@ local r_body_8bit = '/[^\\x01-\\x7f]/Pr'
 reconf['R_BAD_CTE_7BIT'] = string.format('(%s) & (%s) & (%s)', r_ctype_text, r_cte_7bit, r_body_8bit)
 
 -- Detects missing To header
-reconf['MISSING_TO']= '!header_exists(To)';
+reconf['MISSING_TO']= '!raw_header_exists(To)';
 
 -- Detects undisclosed recipients
 local undisc_rcpt = 'To=/^<?undisclosed[- ]recipient/Hi'
@@ -179,6 +179,17 @@ reconf['FORGED_OUTLOOK_TAGS'] = string.format('!%s & %s & %s & !(%s & %s & %s &
 					yahoo_bulk, any_outlook_mua, mime_html, tag_exists_html, tag_exists_head,
 					tag_exists_meta, tag_exists_body)
 
+-- Forged OE/MSO boundary
+reconf['SUSPICIOUS_BOUNDARY']	= 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}"[\\r\\n]*$/siX'
+-- Forged OE/MSO boundary
+reconf['SUSPICIOUS_BOUNDARY2']	= 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}"[\\r\\n]*$/siX'
+-- Forged OE/MSO boundary
+reconf['SUSPICIOUS_BOUNDARY3']	= 'Content-Type=/^\\s*multipart.+boundary="-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}"[\\r\\n]*$/siX'
+-- Forged OE/MSO boundary
+local suspicious_boundary_01C4	= 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX'
+local suspicious_boundary_01C4_date	= 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/'
+reconf['SUSPICIOUS_BOUNDARY4']	= string.format('(%s) & (%s)', suspicious_boundary_01C4, suspicious_boundary_01C4_date)
+
 -- Detect forged The Bat! headers
 -- The Bat! X-Mailer header
 local thebat_mua_any = 'X-Mailer=/^\\s*The Bat!/H'
@@ -191,6 +202,27 @@ reconf['FORGED_MUA_THEBAT_MSGID'] = string.format('(%s) & !(%s) & (%s) & !(%s)',
 -- Summary rule for forged The Bat! Message-ID header with unknown template
 reconf['FORGED_MUA_THEBAT_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', thebat_mua_any, thebat_msgid, thebat_msgid_common, unusable_msgid)
 
+
+-- Detect forged Mozilla Mail/Thunderbird/Seamonkey headers
+-- Mozilla based X-Mailer
+local user_agent_mozilla5	= 'User-Agent=/^\\s*Mozilla\\/5\\.0/'
+local user_agent_thunderbird	= 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*Thunderbird\\/)/'
+local user_agent_seamonkey	= 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/'
+local user_agent_mozilla	= string.format('(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird, user_agent_seamonkey)
+-- Mozilla based common Message-ID template
+local mozilla_msgid_common	= 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/X'
+local mozilla_msgid		= 'Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F])[\\dA-F]{6}\\.(\\d0){0,3}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/XS'
+-- Summary rule for forged Mozilla Mail Message-ID header
+reconf['FORGED_MUA_MOZILLA_MAIL_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+-- Summary rule for forged Thunderbird Message-ID header
+reconf['FORGED_MUA_THUNDERBIRD_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+reconf['FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+-- Summary rule for forged Seamonkey Message-ID header
+reconf['FORGED_MUA_SEAMONKEY_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+reconf['FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid)
+
+
 -- Message id validity
 local sane_msgid = 'Message-Id=/^[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\s*$/mH'
 local msgid_comment = 'Message-Id=/\\(.*\\)/mH'
diff --git a/rspamd.xml.sample b/rspamd.xml.sample
index f8e30277e..8464a080a 100644
--- a/rspamd.xml.sample
+++ b/rspamd.xml.sample
@@ -2,7 +2,7 @@
 <rspamd>
 <!-- Main section -->
 <tempdir>/tmp</tempdir>
-<pidfile>/var/run/rspamd.pid</pidfile>
+<pidfile>/var/run/rspamd/rspamd.pid</pidfile>
 <filters>regexp,surbl,chartable,fuzzy_check,spf</filters>
 <statfile_pool_size>262144000</statfile_pool_size>
 <raw_mode>yes</raw_mode>
@@ -69,10 +69,34 @@
  <symbol weight="3.00" description="Forged outlook MUA">FORGED_MUA_OUTLOOK</symbol>
  <!-- Forged outlook MUA, but from maillist -->
  <symbol weight="0.00" description="Forged outlook MUA, but from maillist">FORGED_MUA_OUTLOOK_MAILLIST</symbol>
+
+ <!-- Suspicious boundary in header Content-Type -->
+ <symbol weight="5.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY</symbol>
+ <!-- Suspicious boundary in header Content-Type -->
+ <symbol weight="4.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY2</symbol>
+ <!-- Suspicious boundary in header Content-Type -->
+ <symbol weight="3.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY3</symbol>
+ <!-- Suspicious boundary in header Content-Type -->
+ <symbol weight="4.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY4</symbol>
+
  <!-- Message pretends to be send from The Bat! but has forged Message-ID -->
  <symbol weight="4.00" description="Message pretends to be send from The Bat! but has forged Message-ID">FORGED_MUA_THEBAT_MSGID</symbol>
  <!-- Message pretends to be send from The Bat! but has forged Message-ID -->
  <symbol weight="3.00" description="Message pretends to be send from The Bat! but has forged Message-ID">FORGED_MUA_THEBAT_MSGID_UNKNOWN</symbol>
+
+ <!-- Message pretends to be send from Mozilla Mail but has forged Message-ID -->
+ <symbol weight="3.50" description="Message pretends to be send from Mozilla Mail but has forged Message-ID">FORGED_MUA_MOZILLA_MAIL_MSGID</symbol>
+ <!-- Message pretends to be send from Mozilla Mail but has forged Message-ID -->
+ <symbol weight="2.50" description="Message pretends to be send from Mozilla Mail but has forged Message-ID">FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN</symbol>
+ <!-- Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID -->
+ <symbol weight="3.50" description="Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID">FORGED_MUA_THUNDERBIRD_MSGID</symbol>
+ <!-- Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID -->
+ <symbol weight="2.50" description="Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID">FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN</symbol>
+ <!-- Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID -->
+ <symbol weight="3.50" description="Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID">FORGED_MUA_SEAMONKEY_MSGID</symbol>
+ <!-- Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID -->
+ <symbol weight="2.50" description="Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID">FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN</symbol>
+
  <!-- Fake helo for verizon provider -->
  <symbol weight="2.00" description="Fake helo for verizon provider">FM_FAKE_HELO_VERIZON</symbol>
  <!--Quoted reply-to from yahoo (seems to be forged) --> 
@@ -112,7 +136,7 @@
  <!-- Spam string at the end of message to make statistics faults 0-->
  <symbol weight="3.84" description="Spam string at the end of message to make statistics faults 0">TRACKER_ID</symbol>
  <!-- No space in from header -->
- <symbol weight="3.00" description="No space in from header">R_NO_SPACE_IN_FROM</symbol>
+ <symbol weight="1.00" description="No space in from header">R_NO_SPACE_IN_FROM</symbol>
  <!-- Subject seems to be spam --> 
  <symbol weight="8.00" description="Subject seems to be spam">R_SAJDING</symbol>
  <!-- Detects bad content-transfer-encoding for text parts -->
-- 
2.39.5