From b553c0c29eb136d1bd33fce3cfc0265d7909fe0c Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 25 Jul 2024 13:21:44 +0100 Subject: [PATCH] [Conf] Increase scores for strange things in the archives --- rules/archives.lua | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/archives.lua b/rules/archives.lua index 83ac27df8..c582b93bd 100644 --- a/rules/archives.lua +++ b/rules/archives.lua @@ -2,19 +2,19 @@ local rspamd_regexp = require "rspamd_regexp" local lua_maps = require "lua_maps" local clickbait_map = lua_maps.map_add_from_ucl( - { - string.format('%s/maps.d/%s', rspamd_paths.CONFDIR, 'exe_clickbait.inc'), - string.format('%s/local.d/maps.d/%s', rspamd_paths.LOCAL_CONFDIR, 'exe_clickbait.inc') - }, - 'regexp', - 'Inappropriate descriptions for executables' + { + string.format('%s/maps.d/%s', rspamd_paths.CONFDIR, 'exe_clickbait.inc'), + string.format('%s/local.d/maps.d/%s', rspamd_paths.LOCAL_CONFDIR, 'exe_clickbait.inc') + }, + 'regexp', + 'Inappropriate descriptions for executables' ) local exe_re = rspamd_regexp.create_cached([[/\.exe$|\.com$/i]]) local img_re = rspamd_regexp.create_cached([[/\.img$/i]]) local rar_re = rspamd_regexp.create_cached([[/\.rar$|\.r[0-9]{2}$/i]]) -local id = rspamd_config:register_symbol{ +local id = rspamd_config:register_symbol { callback = function(task) local num_checked = 0 local have_subject_clickbait = false @@ -52,7 +52,7 @@ local id = rspamd_config:register_symbol{ local name = info.name if img_re:match(name) then - local ratio = info.uncompressed_size/info.compressed_size + local ratio = info.uncompressed_size / info.compressed_size if ratio >= 500 then task:insert_result('UDF_COMPRESSION_500PLUS', 1.0) end @@ -86,7 +86,7 @@ local id = rspamd_config:register_symbol{ type = 'callback', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'exe file in archive with clickbait filename', group = 'malware', name = 'EXE_ARCHIVE_CLICKBAIT_FILENAME', @@ -96,7 +96,7 @@ rspamd_config:register_symbol{ type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'exe file in archive with clickbait subject', group = 'malware', name = 'EXE_ARCHIVE_CLICKBAIT_SUBJECT', @@ -106,47 +106,47 @@ rspamd_config:register_symbol{ type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'exe file in archive', group = 'malware', name = 'EXE_IN_ARCHIVE', one_shot = true, parent = id, - score = 0.5, + score = 1.5, type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'rar with wrong extension containing exe file', group = 'malware', name = 'EXE_IN_MISIDENTIFIED_RAR', one_shot = true, parent = id, - score = 2.0, + score = 5.0, type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'rar with wrong extension', group = 'malware', name = 'MISIDENTIFIED_RAR', one_shot = true, parent = id, - score = 2.0, + score = 4.0, type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'single file container bearing executable', group = 'malware', name = 'SINGLE_FILE_ARCHIVE_WITH_EXE', one_shot = true, parent = id, - score = 1.0, + score = 5.0, type = 'virtual', } -rspamd_config:register_symbol{ +rspamd_config:register_symbol { description = 'very well compressed img file in archive', name = 'UDF_COMPRESSION_500PLUS', one_shot = true, -- 2.39.5