mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
Browse Source

[Minor] Finish reworking rules

tags/1.4.0
Andrew Lewis 7 years ago
parent
dacfdb076b
commit
28866f6063
7 changed files with 148 additions and 178 deletions
Split View Show Diff Stats
  1. 0
    108
      conf/metrics.conf
  2. 6
    1
      rules/html.lua
  3. 81
    59
      rules/misc.lua
  4. 36
    6
      rules/regexp/drugs.lua
  5. 13
    2
      rules/regexp/fraud.lua
  6. 6
    1
      rules/regexp/headers.lua
  7. 6
    1
      rules/regexp/lotto.lua

+ 0
- 108
conf/metrics.conf View File

@@ -37,18 +37,6 @@ metric {
weight = 0.30;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
symbol "MIME_HTML_ONLY" {
weight = 0.2;
description = "Messages that have only HTML part";
}
symbol "FM_FAKE_HELO_VERIZON" {
weight = 2.0;
description = "Fake helo for verizon provider";
}
symbol "MISSING_TO" {
weight = 2.0;
description = "To header is missing";
}
symbol "R_MIXED_CHARSET" {
weight = 5.0;
description = "Mixed characters in a message";
@@ -91,15 +79,6 @@ metric {

group "subject" {
max_score = 6.0;

symbol "LONG_SUBJ" {
weight = 6.0;
description = "Subject is too long";
}
symbol "SUBJ_ALL_CAPS" {
weight = 3.0;
description = "No lower case letters in subject";
}
}

group "mua" {
@@ -109,70 +88,6 @@ metric {
}
}

group "body" {
symbol "R_WHITE_ON_WHITE" {
weight = 4.0;
description = "White color on white background in HTML messages";
}
symbol "HTML_SHORT_LINK_IMG_1" {
weight = 3.0;
description = "Short html part with a link to an image";
}
symbol "HTML_SHORT_LINK_IMG_2" {
weight = 1.0;
description = "Short html part with a link to an image";
}
symbol "HTML_SHORT_LINK_IMG_3" {
weight = 0.5;
description = "Short html part with a link to an image";
}
symbol "R_PARTS_DIFFER" {
weight = 1.0;
description = "Text and HTML parts differ";
}

symbol "R_EMPTY_IMAGE" {
weight = 2.0;
description = "Message contains empty parts and image";
}
symbol "DRUGS_MANYKINDS" {
weight = 2.0;
description = "Drugs patterns inside message";
}
symbol "DRUGS_ANXIETY" {
weight = 2.0;
description = "";
}
symbol "DRUGS_MUSCLE" {
weight = 2.0;
description = "";
}
symbol "DRUGS_ANXIETY_EREC" {
weight = 2.0;
description = "";
}
symbol "DRUGS_DIET" {
weight = 2.0;
description = "";
}
symbol "DRUGS_ERECTILE" {
weight = 2.0;
description = "";
}
symbol "ADVANCE_FEE_2" {
weight = 3.300000;
description = "2 'advance fee' patterns in a message";
}
symbol "ADVANCE_FEE_3" {
weight = 2.120000;
description = "3 'advance fee' patterns in a message";
}
symbol "R_LOTTO" {
weight = 8.0;
description = "Lotto signatures";
}
}

group "rbl" {
symbol "DNSWL_BLOCKED" {
weight = 0.0;
@@ -577,22 +492,6 @@ metric {
}
}

group "date" {

symbol "DATE_IN_FUTURE" {
weight = 4.0;
description = "Message date is in future";
}
symbol "DATE_IN_PAST" {
weight = 1.0;
description = "Message date is in past";
}
symbol "MISSING_DATE" {
weight = 1.0;
description = "Message date is missing";
}
}

group "hfilter" {
symbol "HFILTER_HELO_BAREIP" {
weight = 3.00;
@@ -774,13 +673,6 @@ metric {
one_shot = true;
}
}
group "url" {
symbol "R_SUSPICIOUS_URL" {
weight = 6.0;
description = "Obfusicated or suspicious URL has been found in a message";
one_shot = true;
}
}

.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf"

+ 6
- 1
rules/html.lua View File

@@ -18,7 +18,12 @@ local rspamd_regexp = require "rspamd_regexp"
local rspamd_logger = require "rspamd_logger"

-- Messages that have only HTML part
reconf['MIME_HTML_ONLY'] = 'has_only_html_part()'
reconf['MIME_HTML_ONLY'] = {
re = 'has_only_html_part()',
score = 0.2,
description = 'Messages that have only HTML part',
group = 'header'
}

local function check_html_image(task, min, max)
local tp = task:get_text_parts()

+ 81
- 59
rules/misc.lua View File

@@ -77,70 +77,87 @@ rspamd_config.LONG_SUBJ = {
}

-- Different text parts
rspamd_config.R_PARTS_DIFFER = function(task)
local distance = task:get_mempool():get_variable('parts_distance', 'double')

if distance then
local nd = tonumber(distance)
-- ND is relation of different words to total words
if nd >= 0.5 then
local tw = task:get_mempool():get_variable('total_words', 'int')

if tw then
local score
if tw > 30 then
-- We are confident about difference
score = (nd - 0.5) * 2.0
else
-- We are not so confident about difference
score = (nd - 0.5)
rspamd_config.R_PARTS_DIFFER = {
callback = function(task)
local distance = task:get_mempool():get_variable('parts_distance', 'double')

if distance then
local nd = tonumber(distance)
-- ND is relation of different words to total words
if nd >= 0.5 then
local tw = task:get_mempool():get_variable('total_words', 'int')

if tw then
local score
if tw > 30 then
-- We are confident about difference
score = (nd - 0.5) * 2.0
else
-- We are not so confident about difference
score = (nd - 0.5)
end
task:insert_result('R_PARTS_DIFFER', score,
string.format('%.1f%%', tostring(100.0 * nd)))
end
task:insert_result('R_PARTS_DIFFER', score,
string.format('%.1f%%', tostring(100.0 * nd)))
end
end
end

return false
end
return false
end,
score = 1.0,
description = 'Text and HTML parts differ',
group = 'body'
}

-- Date issues
rspamd_config.MISSING_DATE = function(task)
if rspamd_config:get_api_version() >= 5 then
local date = task:get_header_raw('Date')
if date == nil or date == '' then
return true
end
end

return false
end
rspamd_config.DATE_IN_FUTURE = function(task)
if rspamd_config:get_api_version() >= 5 then
local dm = task:get_date{format = 'message'}
local dt = task:get_date{format = 'connect'}
-- An 2 hour
if dm > 0 and dm - dt > 7200 then
return true
end
end

return false
end
rspamd_config.DATE_IN_PAST = function(task)
if rspamd_config:get_api_version() >= 5 then
local dm = task:get_date{format = 'message', gmt = true}
local dt = task:get_date{format = 'connect', gmt = true}
-- A day
if dm > 0 and dt - dm > 86400 then
return true
end
end

return false
end
rspamd_config.MISSING_DATE = {
callback = function(task)
if rspamd_config:get_api_version() >= 5 then
local date = task:get_header_raw('Date')
if date == nil or date == '' then
return true
end
end
return false
end,
score = 1.0,
description = 'Message date is missing',
group = 'date'
}
rspamd_config.DATE_IN_FUTURE = {
callback = function(task)
if rspamd_config:get_api_version() >= 5 then
local dm = task:get_date{format = 'message'}
local dt = task:get_date{format = 'connect'}
-- 2 hours
if dm > 0 and dm - dt > 7200 then
return true
end
end
return false
end,
score = 4.0,
description = 'Message date is in future',
group = 'date'
}
rspamd_config.DATE_IN_PAST = {
callback = function(task)
if rspamd_config:get_api_version() >= 5 then
local dm = task:get_date{format = 'message', gmt = true}
local dt = task:get_date{format = 'connect', gmt = true}
-- A day
if dm > 0 and dt - dm > 86400 then
return true
end
end
return false
end,
score = 1.0,
description = 'Message date is in past',
group = 'date'
}

rspamd_config.R_SUSPICIOUS_URL = function(task)
rspamd_config.R_SUSPICIOUS_URL = {
callback = function(task)
local urls = task:get_urls()

if urls then
@@ -151,7 +168,12 @@ rspamd_config.R_SUSPICIOUS_URL = function(task)
end
end
return false
end
end,
score = 6.0,
one_shot = true,
description = 'Obfusicated or suspicious URL has been found in a message',
group = 'url'
}

rspamd_config.BROKEN_HEADERS = {
callback = function(task)

+ 36
- 6
rules/regexp/drugs.lua View File

@@ -31,7 +31,12 @@ local drugs_diet7 = '/\\b_{0,3}t[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?u[_\\W]?a[_
local drugs_diet8 = '/\\b_{0,3}d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?d[_\\W]?r[_\\W][e3\\xE8-\\xEB[_\\W]?xx?_{0,3}\\b/irP'
local drugs_diet9 = '/\\b_{0,3}a[_\\W]?d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?p[_\\W]?[e3\\xE8-\\xEB][_\\W]?x_{0,3}\\b/irP'
local drugs_diet10 = '/\\b_{0,3}x?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?c[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l_{0,3}\\b/irP'
reconf['DRUGS_DIET'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10)
reconf['DRUGS_DIET'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}
local drugs_erectile1 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}[xyz]?[gj][_\\W]{0,3}r[_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}x?[_\\W]{0,3}(?:\\b|\\s)/irP'
local drugs_erectile2 = '/\\bV(?:agira|igara|iaggra|iaegra)\\b/irP'
local drugs_erectile3 = '/(?:\\A|[\\s\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f])[_\\W]{0,3}C[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}l?[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s[_\\W]{0,3}(?:\\b|\\s)/irP'
@@ -41,7 +46,12 @@ local drugs_erectile6 = '/\\b_{0,3}L[_\\W]?[e3\\xE8-\\xEB][_\\W]?(?:\\\\\\/|V)[_
local drugs_erectile8 = '/\\b_{0,3}T[_\\W]?[a4\\xE0-\\xE6@][_\\W]?d[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l[_\\W]?[a4\\xE0-\\xE6@][_\\W]?f[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?l_{0,3}\\b/irP'
local drugs_erectile10 = '/\\b_{0,3}V[_\\W]?(?:i|\\&iuml\\;)[_\\W]?(?:a|\\&agrave|\\&aring)\\;?[_\\W]?g[_\\W]?r[_\\W]?(?:a|\\&agrave|\\&aring)\\b/irP'
local drugs_erectile11 = '/(?:\\b|\\s)_{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}p[_\\W]{0,3}c[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s_{0,3}\\b/irP'
reconf['DRUGS_ERECTILE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11)
reconf['DRUGS_ERECTILE'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}
local drugs_anxiety1 = '/(?:\\b|\\s)[_\\W]{0,3}x?x[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}n[_\\W]{0,3}[ea4\\xE1\\xE2\\xE3@][_\\W]{0,3}xx?_{0,3}\\b/irP'
local drugs_anxiety2 = '/\\bAlprazolam\\b/irP'
local drugs_anxiety3 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l|][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}m\\b/irP'
@@ -51,8 +61,18 @@ local drugs_anxiety6 = '/\\b_{0,3}l[_\\W]?[o0\\xF2-\\xF6][_\\W]?r[_\\W]?[a4\\xE0
local drugs_anxiety7 = '/\\b_{0,3}c[_\\W]?l[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?[a4\\xE0-\\xE6@][_\\W]?z[_\\W]?e[_\\W]?p[_\\W]?[a4\\xE0-\\xE6@][_\\W]?m\\b/irP'
local drugs_anxiety8 = '/\\bklonopin\\b/irP'
local drugs_anxiety9 = '/\\brivotril\\b/irP'
reconf['DRUGS_ANXIETY'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9)
reconf['DRUGS_ANXIETY_EREC'] = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE'], reconf['DRUGS_ANXIETY'])
reconf['DRUGS_ANXIETY'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}
reconf['DRUGS_ANXIETY_EREC'] = {
re = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_ANXIETY']['re']),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}
local drugs_pain1 = '/\\b_{0,3}h[_\\W]?y[_\\W]?d[_\\W]?r[_\\W]?[o0\\xF2-\\xF6][_\\W]?c[_\\W]?[o0\\xF2-\\xF6][_\\W]?d[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?e_{0,3}\\b/irP'
local drugs_pain2 = '/\\b_{0,3}c[o0\\xF2-\\xF6]deine_{0,3}\\b/irP'
local drugs_pain3 = '/(?:\\b|\\s)[_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}l[_\\W]{0,3}t[_\\W]{0,3}r[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}m_{0,3}\\b/irP'
@@ -78,6 +98,16 @@ local drugs_muscle2 = '/\\b_{0,3}cycl[o0\\xF2-\\xF6]b[e3\\xE8-\\xEB]nz[a4\\xE0-\
local drugs_muscle3 = '/\\b_{0,3}f[_\\W]?l[_\\W]?[e3\\xE8-\\xEB][_\\W]?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?r[_\\W]?[i1!|l\\xEC-\\xEF]_{0,3}[_\\W]?l_{0,3}\\b/irP'
local drugs_muscle4 = '/\\b_{0,3}z[_\\W]?a[_\\W]?n[_\\W]?a[_\\W]?f[_\\W]?l[_\\W]?e[_\\W]?x_{0,3}\\b/irP'
local drugs_muscle5 = '/\\bskelaxin\\b/irP'
reconf['DRUGS_MUSCLE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5)
reconf['DRUGS_MANYKINDS'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE'], reconf['DRUGS_DIET'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE'], reconf['DRUGS_ANXIETY'])
reconf['DRUGS_MUSCLE'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}
reconf['DRUGS_MANYKINDS'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_DIET']['re'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE']['re'], reconf['DRUGS_ANXIETY']['re']),
score = 2.0,
description = 'Drugs pattern in body',
group = 'body'
}


+ 13
- 2
rules/regexp/fraud.lua View File

@@ -70,5 +70,16 @@ local fraud_yqv = '/nigerian? (?:national|government)/irP'
local fraud_yja = '/over-invoice/irP'
local fraud_ypo = '/the total sum/irP'
local fraud_uoq = '/vital documents/irP'
reconf['ADVANCE_FEE_2'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)
reconf['ADVANCE_FEE_3'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)
reconf['ADVANCE_FEE_2'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly),
score = 3.3,
description = "2 'advance fee' patterns in a message",
group = 'body'
}
reconf['ADVANCE_FEE_3'] = {
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly),
score = 2.12,
description = "3 'advance fee' patterns in a message",
group = 'body'
}


+ 6
- 1
rules/regexp/headers.lua View File

@@ -520,7 +520,12 @@ reconf['STOX_REPLY_TYPE'] = {
-- Fake Verizon headers
local fhelo_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH'
local fhost_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH'
reconf['FM_FAKE_HELO_VERIZON'] = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon)
reconf['FM_FAKE_HELO_VERIZON'] = {
re = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon),
score = 2.0,
description = 'Fake helo for verizon provider',
group = 'header'
}

-- Forged yahoo msgid
local at_yahoo_msgid = 'Message-Id=/\\@yahoo\\.com\\b/iH'

+ 6
- 1
rules/regexp/lotto.lua View File

@@ -28,4 +28,9 @@ local kam_lotto3 = '/(won|claim|cash prize|pounds? sterling)/isrP'
local kam_lotto4 = '/(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/isrP'
local kam_lotto5 = '/(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\\.?K\\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/isrP'
local kam_lotto6 = '/(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/isrP'
reconf['R_LOTTO'] = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6)
reconf['R_LOTTO'] = {
re = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6),
score = 8.0,
description = 'Lotto signatures',
group = 'body'
}

Write Preview
Loading…
Cancel
Save