From 28866f60631a43caa580686d11731e51587d2e5a Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Wed, 31 Aug 2016 10:22:52 +0200 Subject: [PATCH] [Minor] Finish reworking rules --- conf/metrics.conf | 108 ------------------------------ rules/html.lua | 7 +- rules/misc.lua | 140 ++++++++++++++++++++++----------------- rules/regexp/drugs.lua | 42 ++++++++++-- rules/regexp/fraud.lua | 15 ++++- rules/regexp/headers.lua | 7 +- rules/regexp/lotto.lua | 7 +- 7 files changed, 148 insertions(+), 178 deletions(-) diff --git a/conf/metrics.conf b/conf/metrics.conf index 1294ca2f1..7ece1c542 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -37,18 +37,6 @@ metric { weight = 0.30; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; } - symbol "MIME_HTML_ONLY" { - weight = 0.2; - description = "Messages that have only HTML part"; - } - symbol "FM_FAKE_HELO_VERIZON" { - weight = 2.0; - description = "Fake helo for verizon provider"; - } - symbol "MISSING_TO" { - weight = 2.0; - description = "To header is missing"; - } symbol "R_MIXED_CHARSET" { weight = 5.0; description = "Mixed characters in a message"; @@ -91,15 +79,6 @@ metric { group "subject" { max_score = 6.0; - - symbol "LONG_SUBJ" { - weight = 6.0; - description = "Subject is too long"; - } - symbol "SUBJ_ALL_CAPS" { - weight = 3.0; - description = "No lower case letters in subject"; - } } group "mua" { @@ -109,70 +88,6 @@ metric { } } - group "body" { - symbol "R_WHITE_ON_WHITE" { - weight = 4.0; - description = "White color on white background in HTML messages"; - } - symbol "HTML_SHORT_LINK_IMG_1" { - weight = 3.0; - description = "Short html part with a link to an image"; - } - symbol "HTML_SHORT_LINK_IMG_2" { - weight = 1.0; - description = "Short html part with a link to an image"; - } - symbol "HTML_SHORT_LINK_IMG_3" { - weight = 0.5; - description = "Short html part with a link to an image"; - } - symbol "R_PARTS_DIFFER" { - weight = 1.0; - description = "Text and HTML parts differ"; - } - - symbol "R_EMPTY_IMAGE" { - weight = 2.0; - description = "Message contains empty parts and image"; - } - symbol "DRUGS_MANYKINDS" { - weight = 2.0; - description = "Drugs patterns inside message"; - } - symbol "DRUGS_ANXIETY" { - weight = 2.0; - description = ""; - } - symbol "DRUGS_MUSCLE" { - weight = 2.0; - description = ""; - } - symbol "DRUGS_ANXIETY_EREC" { - weight = 2.0; - description = ""; - } - symbol "DRUGS_DIET" { - weight = 2.0; - description = ""; - } - symbol "DRUGS_ERECTILE" { - weight = 2.0; - description = ""; - } - symbol "ADVANCE_FEE_2" { - weight = 3.300000; - description = "2 'advance fee' patterns in a message"; - } - symbol "ADVANCE_FEE_3" { - weight = 2.120000; - description = "3 'advance fee' patterns in a message"; - } - symbol "R_LOTTO" { - weight = 8.0; - description = "Lotto signatures"; - } - } - group "rbl" { symbol "DNSWL_BLOCKED" { weight = 0.0; @@ -577,22 +492,6 @@ metric { } } - group "date" { - - symbol "DATE_IN_FUTURE" { - weight = 4.0; - description = "Message date is in future"; - } - symbol "DATE_IN_PAST" { - weight = 1.0; - description = "Message date is in past"; - } - symbol "MISSING_DATE" { - weight = 1.0; - description = "Message date is missing"; - } - } - group "hfilter" { symbol "HFILTER_HELO_BAREIP" { weight = 3.00; @@ -774,13 +673,6 @@ metric { one_shot = true; } } - group "url" { - symbol "R_SUSPICIOUS_URL" { - weight = 6.0; - description = "Obfusicated or suspicious URL has been found in a message"; - one_shot = true; - } - } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" diff --git a/rules/html.lua b/rules/html.lua index e1fdb6b73..f81fc56ef 100644 --- a/rules/html.lua +++ b/rules/html.lua @@ -18,7 +18,12 @@ local rspamd_regexp = require "rspamd_regexp" local rspamd_logger = require "rspamd_logger" -- Messages that have only HTML part -reconf['MIME_HTML_ONLY'] = 'has_only_html_part()' +reconf['MIME_HTML_ONLY'] = { + re = 'has_only_html_part()', + score = 0.2, + description = 'Messages that have only HTML part', + group = 'header' +} local function check_html_image(task, min, max) local tp = task:get_text_parts() diff --git a/rules/misc.lua b/rules/misc.lua index c0dc201ab..2a14a1493 100644 --- a/rules/misc.lua +++ b/rules/misc.lua @@ -77,70 +77,87 @@ rspamd_config.LONG_SUBJ = { } -- Different text parts -rspamd_config.R_PARTS_DIFFER = function(task) - local distance = task:get_mempool():get_variable('parts_distance', 'double') - - if distance then - local nd = tonumber(distance) - -- ND is relation of different words to total words - if nd >= 0.5 then - local tw = task:get_mempool():get_variable('total_words', 'int') - - if tw then - local score - if tw > 30 then - -- We are confident about difference - score = (nd - 0.5) * 2.0 - else - -- We are not so confident about difference - score = (nd - 0.5) +rspamd_config.R_PARTS_DIFFER = { + callback = function(task) + local distance = task:get_mempool():get_variable('parts_distance', 'double') + + if distance then + local nd = tonumber(distance) + -- ND is relation of different words to total words + if nd >= 0.5 then + local tw = task:get_mempool():get_variable('total_words', 'int') + + if tw then + local score + if tw > 30 then + -- We are confident about difference + score = (nd - 0.5) * 2.0 + else + -- We are not so confident about difference + score = (nd - 0.5) + end + task:insert_result('R_PARTS_DIFFER', score, + string.format('%.1f%%', tostring(100.0 * nd))) end - task:insert_result('R_PARTS_DIFFER', score, - string.format('%.1f%%', tostring(100.0 * nd))) end end - end - - return false -end + return false + end, + score = 1.0, + description = 'Text and HTML parts differ', + group = 'body' +} -- Date issues -rspamd_config.MISSING_DATE = function(task) - if rspamd_config:get_api_version() >= 5 then - local date = task:get_header_raw('Date') - if date == nil or date == '' then - return true - end - end - - return false -end -rspamd_config.DATE_IN_FUTURE = function(task) - if rspamd_config:get_api_version() >= 5 then - local dm = task:get_date{format = 'message'} - local dt = task:get_date{format = 'connect'} - -- An 2 hour - if dm > 0 and dm - dt > 7200 then - return true - end - end - - return false -end -rspamd_config.DATE_IN_PAST = function(task) - if rspamd_config:get_api_version() >= 5 then - local dm = task:get_date{format = 'message', gmt = true} - local dt = task:get_date{format = 'connect', gmt = true} - -- A day - if dm > 0 and dt - dm > 86400 then - return true - end - end - - return false -end +rspamd_config.MISSING_DATE = { + callback = function(task) + if rspamd_config:get_api_version() >= 5 then + local date = task:get_header_raw('Date') + if date == nil or date == '' then + return true + end + end + return false + end, + score = 1.0, + description = 'Message date is missing', + group = 'date' +} +rspamd_config.DATE_IN_FUTURE = { + callback = function(task) + if rspamd_config:get_api_version() >= 5 then + local dm = task:get_date{format = 'message'} + local dt = task:get_date{format = 'connect'} + -- 2 hours + if dm > 0 and dm - dt > 7200 then + return true + end + end + return false + end, + score = 4.0, + description = 'Message date is in future', + group = 'date' +} +rspamd_config.DATE_IN_PAST = { + callback = function(task) + if rspamd_config:get_api_version() >= 5 then + local dm = task:get_date{format = 'message', gmt = true} + local dt = task:get_date{format = 'connect', gmt = true} + -- A day + if dm > 0 and dt - dm > 86400 then + return true + end + end + return false + end, + score = 1.0, + description = 'Message date is in past', + group = 'date' +} -rspamd_config.R_SUSPICIOUS_URL = function(task) +rspamd_config.R_SUSPICIOUS_URL = { + callback = function(task) local urls = task:get_urls() if urls then @@ -151,7 +168,12 @@ rspamd_config.R_SUSPICIOUS_URL = function(task) end end return false -end + end, + score = 6.0, + one_shot = true, + description = 'Obfusicated or suspicious URL has been found in a message', + group = 'url' +} rspamd_config.BROKEN_HEADERS = { callback = function(task) diff --git a/rules/regexp/drugs.lua b/rules/regexp/drugs.lua index 774c326a1..8d7b882f6 100644 --- a/rules/regexp/drugs.lua +++ b/rules/regexp/drugs.lua @@ -31,7 +31,12 @@ local drugs_diet7 = '/\\b_{0,3}t[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?u[_\\W]?a[_ local drugs_diet8 = '/\\b_{0,3}d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?d[_\\W]?r[_\\W][e3\\xE8-\\xEB[_\\W]?xx?_{0,3}\\b/irP' local drugs_diet9 = '/\\b_{0,3}a[_\\W]?d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?p[_\\W]?[e3\\xE8-\\xEB][_\\W]?x_{0,3}\\b/irP' local drugs_diet10 = '/\\b_{0,3}x?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?c[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l_{0,3}\\b/irP' -reconf['DRUGS_DIET'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10) +reconf['DRUGS_DIET'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} local drugs_erectile1 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}[xyz]?[gj][_\\W]{0,3}r[_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}x?[_\\W]{0,3}(?:\\b|\\s)/irP' local drugs_erectile2 = '/\\bV(?:agira|igara|iaggra|iaegra)\\b/irP' local drugs_erectile3 = '/(?:\\A|[\\s\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f])[_\\W]{0,3}C[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}l?[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s[_\\W]{0,3}(?:\\b|\\s)/irP' @@ -41,7 +46,12 @@ local drugs_erectile6 = '/\\b_{0,3}L[_\\W]?[e3\\xE8-\\xEB][_\\W]?(?:\\\\\\/|V)[_ local drugs_erectile8 = '/\\b_{0,3}T[_\\W]?[a4\\xE0-\\xE6@][_\\W]?d[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l[_\\W]?[a4\\xE0-\\xE6@][_\\W]?f[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?l_{0,3}\\b/irP' local drugs_erectile10 = '/\\b_{0,3}V[_\\W]?(?:i|\\ï\\;)[_\\W]?(?:a|\\à|\\å)\\;?[_\\W]?g[_\\W]?r[_\\W]?(?:a|\\à|\\å)\\b/irP' local drugs_erectile11 = '/(?:\\b|\\s)_{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}p[_\\W]{0,3}c[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s_{0,3}\\b/irP' -reconf['DRUGS_ERECTILE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11) +reconf['DRUGS_ERECTILE'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} local drugs_anxiety1 = '/(?:\\b|\\s)[_\\W]{0,3}x?x[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}n[_\\W]{0,3}[ea4\\xE1\\xE2\\xE3@][_\\W]{0,3}xx?_{0,3}\\b/irP' local drugs_anxiety2 = '/\\bAlprazolam\\b/irP' local drugs_anxiety3 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l|][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}m\\b/irP' @@ -51,8 +61,18 @@ local drugs_anxiety6 = '/\\b_{0,3}l[_\\W]?[o0\\xF2-\\xF6][_\\W]?r[_\\W]?[a4\\xE0 local drugs_anxiety7 = '/\\b_{0,3}c[_\\W]?l[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?[a4\\xE0-\\xE6@][_\\W]?z[_\\W]?e[_\\W]?p[_\\W]?[a4\\xE0-\\xE6@][_\\W]?m\\b/irP' local drugs_anxiety8 = '/\\bklonopin\\b/irP' local drugs_anxiety9 = '/\\brivotril\\b/irP' -reconf['DRUGS_ANXIETY'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9) -reconf['DRUGS_ANXIETY_EREC'] = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE'], reconf['DRUGS_ANXIETY']) +reconf['DRUGS_ANXIETY'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} +reconf['DRUGS_ANXIETY_EREC'] = { + re = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_ANXIETY']['re']), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} local drugs_pain1 = '/\\b_{0,3}h[_\\W]?y[_\\W]?d[_\\W]?r[_\\W]?[o0\\xF2-\\xF6][_\\W]?c[_\\W]?[o0\\xF2-\\xF6][_\\W]?d[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?e_{0,3}\\b/irP' local drugs_pain2 = '/\\b_{0,3}c[o0\\xF2-\\xF6]deine_{0,3}\\b/irP' local drugs_pain3 = '/(?:\\b|\\s)[_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}l[_\\W]{0,3}t[_\\W]{0,3}r[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}m_{0,3}\\b/irP' @@ -78,6 +98,16 @@ local drugs_muscle2 = '/\\b_{0,3}cycl[o0\\xF2-\\xF6]b[e3\\xE8-\\xEB]nz[a4\\xE0-\ local drugs_muscle3 = '/\\b_{0,3}f[_\\W]?l[_\\W]?[e3\\xE8-\\xEB][_\\W]?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?r[_\\W]?[i1!|l\\xEC-\\xEF]_{0,3}[_\\W]?l_{0,3}\\b/irP' local drugs_muscle4 = '/\\b_{0,3}z[_\\W]?a[_\\W]?n[_\\W]?a[_\\W]?f[_\\W]?l[_\\W]?e[_\\W]?x_{0,3}\\b/irP' local drugs_muscle5 = '/\\bskelaxin\\b/irP' -reconf['DRUGS_MUSCLE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5) -reconf['DRUGS_MANYKINDS'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE'], reconf['DRUGS_DIET'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE'], reconf['DRUGS_ANXIETY']) +reconf['DRUGS_MUSCLE'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} +reconf['DRUGS_MANYKINDS'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_DIET']['re'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE']['re'], reconf['DRUGS_ANXIETY']['re']), + score = 2.0, + description = 'Drugs pattern in body', + group = 'body' +} diff --git a/rules/regexp/fraud.lua b/rules/regexp/fraud.lua index 441aca5de..59e6ad03f 100644 --- a/rules/regexp/fraud.lua +++ b/rules/regexp/fraud.lua @@ -70,5 +70,16 @@ local fraud_yqv = '/nigerian? (?:national|government)/irP' local fraud_yja = '/over-invoice/irP' local fraud_ypo = '/the total sum/irP' local fraud_uoq = '/vital documents/irP' -reconf['ADVANCE_FEE_2'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly) -reconf['ADVANCE_FEE_3'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly) +reconf['ADVANCE_FEE_2'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly), + score = 3.3, + description = "2 'advance fee' patterns in a message", + group = 'body' +} +reconf['ADVANCE_FEE_3'] = { + re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly), + score = 2.12, + description = "3 'advance fee' patterns in a message", + group = 'body' +} + diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index b13274055..4aa89e46e 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -520,7 +520,12 @@ reconf['STOX_REPLY_TYPE'] = { -- Fake Verizon headers local fhelo_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH' local fhost_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH' -reconf['FM_FAKE_HELO_VERIZON'] = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon) +reconf['FM_FAKE_HELO_VERIZON'] = { + re = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon), + score = 2.0, + description = 'Fake helo for verizon provider', + group = 'header' +} -- Forged yahoo msgid local at_yahoo_msgid = 'Message-Id=/\\@yahoo\\.com\\b/iH' diff --git a/rules/regexp/lotto.lua b/rules/regexp/lotto.lua index df0f2577a..03ebdb4ab 100644 --- a/rules/regexp/lotto.lua +++ b/rules/regexp/lotto.lua @@ -28,4 +28,9 @@ local kam_lotto3 = '/(won|claim|cash prize|pounds? sterling)/isrP' local kam_lotto4 = '/(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/isrP' local kam_lotto5 = '/(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\\.?K\\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/isrP' local kam_lotto6 = '/(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/isrP' -reconf['R_LOTTO'] = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6) +reconf['R_LOTTO'] = { + re = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6), + score = 8.0, + description = 'Lotto signatures', + group = 'body' +} -- 2.39.5