|
|
@@ -30,6 +30,7 @@ local subject_needs_mime = 'Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xf |
|
|
|
reconf['SUBJECT_NEEDS_ENCODING'] = { |
|
|
|
re = string.format('!(%s) & !(%s) & (%s)', subject_encoded_b64, subject_encoded_qp, subject_needs_mime), |
|
|
|
score = 1.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'Subject needs encoding', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
@@ -40,6 +41,7 @@ local raw_from_needs_mime = 'From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff] |
|
|
|
reconf['FROM_NEEDS_ENCODING'] = { |
|
|
|
re = string.format('!(%s) & !(%s) & (%s)', from_encoded_b64, from_encoded_qp, raw_from_needs_mime), |
|
|
|
score = 1.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'From header needs encoding', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
@@ -50,6 +52,7 @@ local raw_to_needs_mime = 'To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X' |
|
|
|
reconf['TO_NEEDS_ENCODING'] = { |
|
|
|
re = string.format('!(%s) & !(%s) & (%s)', to_encoded_b64, to_encoded_qp, raw_to_needs_mime), |
|
|
|
score = 1.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'To header needs encoding', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
@@ -58,6 +61,7 @@ reconf['TO_NEEDS_ENCODING'] = { |
|
|
|
reconf['R_NO_SPACE_IN_FROM'] = { |
|
|
|
re = 'From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X', |
|
|
|
score = 1.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'No space in from header', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
@@ -65,6 +69,7 @@ reconf['R_NO_SPACE_IN_FROM'] = { |
|
|
|
reconf['TO_WRAPPED_IN_SPACES'] = { |
|
|
|
re = [[To=/<\s[-.\w]+\@[-.\w]+\s>/X]], |
|
|
|
score = 2.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
@@ -73,12 +78,14 @@ reconf['TO_WRAPPED_IN_SPACES'] = { |
|
|
|
reconf['MISSING_SUBJECT'] = { |
|
|
|
re = '!raw_header_exists(Subject)', |
|
|
|
score = 2.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'Subject header is missing', |
|
|
|
group = 'headers' |
|
|
|
} |
|
|
|
|
|
|
|
rspamd_config.EMPTY_SUBJECT = { |
|
|
|
score = 1.0, |
|
|
|
mime_only = true, |
|
|
|
description = 'Subject header is empty', |
|
|
|
group = 'headers', |
|
|
|
callback = function(task) |
|
|
@@ -95,7 +102,8 @@ reconf['MISSING_TO'] = { |
|
|
|
re = '!raw_header_exists(To)', |
|
|
|
score = 2.0, |
|
|
|
description = 'To header is missing', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Detects undisclosed recipients |
|
|
@@ -104,7 +112,8 @@ reconf['R_UNDISC_RCPT'] = { |
|
|
|
re = string.format('(%s)', undisc_rcpt), |
|
|
|
score = 3.0, |
|
|
|
description = 'Recipients are absent or undisclosed', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Detects missing Message-Id |
|
|
@@ -113,7 +122,8 @@ reconf['MISSING_MID'] = { |
|
|
|
re = '!header_exists(Message-Id)', |
|
|
|
score = 2.5, |
|
|
|
description = 'Message id is missing', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Received seems to be fake |
|
|
@@ -122,7 +132,8 @@ reconf['R_RCVD_SPAMBOTS'] = { |
|
|
|
' [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4} \\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH', |
|
|
|
score = 3.0, |
|
|
|
description = 'Spambots signatures in received headers', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Charset is missing in message |
|
|
@@ -131,7 +142,8 @@ reconf['R_MISSING_CHARSET'] = { |
|
|
|
'compare_transfer_encoding(7bit)'), |
|
|
|
score = 2.5, |
|
|
|
description = 'Charset is missing in a message', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Subject seems to be spam |
|
|
@@ -139,7 +151,8 @@ reconf['R_SAJDING'] = { |
|
|
|
re = 'Subject=/\\bsajding(?:om|a)?\\b/iH', |
|
|
|
score = 8.0, |
|
|
|
description = 'Subject seems to be spam', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Find forged Outlook MUA |
|
|
@@ -152,7 +165,8 @@ reconf['FORGED_OUTLOOK_HTML'] = { |
|
|
|
re = string.format('!%s & %s & %s', yahoo_bulk, outlook_mua, 'has_only_html_part()'), |
|
|
|
score = 5.0, |
|
|
|
description = 'Forged outlook HTML signature', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Recipients seems to be likely with each other (only works when recipients count is more than 5 recipients) |
|
|
@@ -160,7 +174,8 @@ reconf['SUSPICIOUS_RECIPS'] = { |
|
|
|
re = 'compare_recipients_distance(0.65)', |
|
|
|
score = 1.5, |
|
|
|
description = 'Recipients seems to be autogenerated (works if recipients count is more than 5)', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Recipients list seems to be sorted |
|
|
@@ -168,7 +183,8 @@ reconf['SORTED_RECIPS'] = { |
|
|
|
re = 'is_recipients_sorted()', |
|
|
|
score = 3.5, |
|
|
|
description = 'Recipients list seems to be sorted', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- Spam string at the end of message to make statistics faults |
|
|
@@ -176,7 +192,8 @@ reconf['TRACKER_ID'] = { |
|
|
|
re = '/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr', |
|
|
|
score = 3.84, |
|
|
|
description = 'Spam string at the end of message to make statistics fault', |
|
|
|
group = 'headers' |
|
|
|
group = 'headers', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- From contains only 7bit characters (parsed headers are used) |
|
|
@@ -186,7 +203,8 @@ reconf['FROM_EXCESS_BASE64'] = { |
|
|
|
re = string.format('%s & !%s', from_encoded_b64, from_needs_mime), |
|
|
|
score = 1.5, |
|
|
|
description = 'From that contains encoded characters while base 64 is not needed as all symbols are 7bit', |
|
|
|
group = 'excessb64' |
|
|
|
group = 'excessb64', |
|
|
|
mime_only = true, |
|
|
|
} |
|
|
|
|
|
|
|
-- From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit |