From c599cb599e4c8df12ade63211e6c307e05a70276 Mon Sep 17 00:00:00 2001
From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Thu, 29 Feb 2024 14:34:21 +0000
Subject: [PATCH] [Minor] Add HAS_FILE_URL rule for messages containing a
 file:// URL

These are frequently abused for distributing malware via non-HTTP
protocols, such as public Samba servers. file:// URLs may also be abused
for including files from the victims' machine in a message. Either way,
a legitimate usecase is unlikely.

Signed-off-by: twesterhever <40121680+twesterhever@users.noreply.github.com>
---
 rules/regexp/headers.lua | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 0624997aa..5f6a49437 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -938,6 +938,13 @@ reconf['HAS_GOOGLE_FIREBASE_URL'] = {
   group = 'url'
 }
 
+reconf['HAS_FILE_URL'] = {
+  re = '/^file:\\/\\//{url}i',
+  description = 'Contains file:// URL',
+  score = 2.0,
+  group = 'url'
+}
+
 reconf['XM_UA_NO_VERSION'] = {
   re = string.format('(!%s && !%s) && (%s || %s)',
       'X-Mailer=/https?:/H',
-- 
2.39.5