Vsevolod Stakhov
5 years ago
2 changed files with 44 additions and 16 deletions
+ 29
- 11
rules/regexp/headers.lua
View File
| @@ -30,6 +30,7 @@ local subject_needs_mime = 'Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xf | |||
| reconf['SUBJECT_NEEDS_ENCODING'] = { | |||
| re = string.format('!(%s) & !(%s) & (%s)', subject_encoded_b64, subject_encoded_qp, subject_needs_mime), | |||
| score = 1.0, | |||
| mime_only = true, | |||
| description = 'Subject needs encoding', | |||
| group = 'headers' | |||
| } | |||
| @@ -40,6 +41,7 @@ local raw_from_needs_mime = 'From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff] | |||
| reconf['FROM_NEEDS_ENCODING'] = { | |||
| re = string.format('!(%s) & !(%s) & (%s)', from_encoded_b64, from_encoded_qp, raw_from_needs_mime), | |||
| score = 1.0, | |||
| mime_only = true, | |||
| description = 'From header needs encoding', | |||
| group = 'headers' | |||
| } | |||
| @@ -50,6 +52,7 @@ local raw_to_needs_mime = 'To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X' | |||
| reconf['TO_NEEDS_ENCODING'] = { | |||
| re = string.format('!(%s) & !(%s) & (%s)', to_encoded_b64, to_encoded_qp, raw_to_needs_mime), | |||
| score = 1.0, | |||
| mime_only = true, | |||
| description = 'To header needs encoding', | |||
| group = 'headers' | |||
| } | |||
| @@ -58,6 +61,7 @@ reconf['TO_NEEDS_ENCODING'] = { | |||
| reconf['R_NO_SPACE_IN_FROM'] = { | |||
| re = 'From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X', | |||
| score = 1.0, | |||
| mime_only = true, | |||
| description = 'No space in from header', | |||
| group = 'headers' | |||
| } | |||
| @@ -65,6 +69,7 @@ reconf['R_NO_SPACE_IN_FROM'] = { | |||
| reconf['TO_WRAPPED_IN_SPACES'] = { | |||
| re = [[To=/<\s[-.\w]+\@[-.\w]+\s>/X]], | |||
| score = 2.0, | |||
| mime_only = true, | |||
| description = 'To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)', | |||
| group = 'headers' | |||
| } | |||
| @@ -73,12 +78,14 @@ reconf['TO_WRAPPED_IN_SPACES'] = { | |||
| reconf['MISSING_SUBJECT'] = { | |||
| re = '!raw_header_exists(Subject)', | |||
| score = 2.0, | |||
| mime_only = true, | |||
| description = 'Subject header is missing', | |||
| group = 'headers' | |||
| } | |||
| rspamd_config.EMPTY_SUBJECT = { | |||
| score = 1.0, | |||
| mime_only = true, | |||
| description = 'Subject header is empty', | |||
| group = 'headers', | |||
| callback = function(task) | |||
| @@ -95,7 +102,8 @@ reconf['MISSING_TO'] = { | |||
| re = '!raw_header_exists(To)', | |||
| score = 2.0, | |||
| description = 'To header is missing', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Detects undisclosed recipients | |||
| @@ -104,7 +112,8 @@ reconf['R_UNDISC_RCPT'] = { | |||
| re = string.format('(%s)', undisc_rcpt), | |||
| score = 3.0, | |||
| description = 'Recipients are absent or undisclosed', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Detects missing Message-Id | |||
| @@ -113,7 +122,8 @@ reconf['MISSING_MID'] = { | |||
| re = '!header_exists(Message-Id)', | |||
| score = 2.5, | |||
| description = 'Message id is missing', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Received seems to be fake | |||
| @@ -122,7 +132,8 @@ reconf['R_RCVD_SPAMBOTS'] = { | |||
| ' [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4} \\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH', | |||
| score = 3.0, | |||
| description = 'Spambots signatures in received headers', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Charset is missing in message | |||
| @@ -131,7 +142,8 @@ reconf['R_MISSING_CHARSET'] = { | |||
| 'compare_transfer_encoding(7bit)'), | |||
| score = 2.5, | |||
| description = 'Charset is missing in a message', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Subject seems to be spam | |||
| @@ -139,7 +151,8 @@ reconf['R_SAJDING'] = { | |||
| re = 'Subject=/\\bsajding(?:om|a)?\\b/iH', | |||
| score = 8.0, | |||
| description = 'Subject seems to be spam', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Find forged Outlook MUA | |||
| @@ -152,7 +165,8 @@ reconf['FORGED_OUTLOOK_HTML'] = { | |||
| re = string.format('!%s & %s & %s', yahoo_bulk, outlook_mua, 'has_only_html_part()'), | |||
| score = 5.0, | |||
| description = 'Forged outlook HTML signature', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Recipients seems to be likely with each other (only works when recipients count is more than 5 recipients) | |||
| @@ -160,7 +174,8 @@ reconf['SUSPICIOUS_RECIPS'] = { | |||
| re = 'compare_recipients_distance(0.65)', | |||
| score = 1.5, | |||
| description = 'Recipients seems to be autogenerated (works if recipients count is more than 5)', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Recipients list seems to be sorted | |||
| @@ -168,7 +183,8 @@ reconf['SORTED_RECIPS'] = { | |||
| re = 'is_recipients_sorted()', | |||
| score = 3.5, | |||
| description = 'Recipients list seems to be sorted', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- Spam string at the end of message to make statistics faults | |||
| @@ -176,7 +192,8 @@ reconf['TRACKER_ID'] = { | |||
| re = '/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr', | |||
| score = 3.84, | |||
| description = 'Spam string at the end of message to make statistics fault', | |||
| group = 'headers' | |||
| group = 'headers', | |||
| mime_only = true, | |||
| } | |||
| -- From contains only 7bit characters (parsed headers are used) | |||
| @@ -186,7 +203,8 @@ reconf['FROM_EXCESS_BASE64'] = { | |||
| re = string.format('%s & !%s', from_encoded_b64, from_needs_mime), | |||
| score = 1.5, | |||
| description = 'From that contains encoded characters while base 64 is not needed as all symbols are 7bit', | |||
| group = 'excessb64' | |||
| group = 'excessb64', | |||
| mime_only = true, | |||
| } | |||
| -- From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit | |||
+ 15
- 5
src/plugins/lua/hfilter.lua
View File
| @@ -323,7 +323,7 @@ local function check_host(task, host, symbol_suffix, eq_ip, eq_host) | |||
| end | |||
| -- | |||
| local function hfilter(task) | |||
| local function hfilter_callback(task) | |||
| -- Links checks | |||
| if config['url_enabled'] then | |||
| local parts = task:get_text_parts() | |||
| @@ -626,16 +626,26 @@ end | |||
| --dumper(symbols_enabled) | |||
| if #symbols_enabled > 0 then | |||
| rspamd_config:register_symbols(hfilter, 1.0, "HFILTER", symbols_enabled); | |||
| local id = rspamd_config:register_symbol{ | |||
| name = 'HFILTER', | |||
| callback = hfilter_callback, | |||
| type = 'callback,mime', | |||
| score = 0.0, | |||
| } | |||
| rspamd_config:set_metric_symbol({ | |||
| name = 'HFILTER', | |||
| score = 0.0, | |||
| group = 'hfilter' | |||
| }) | |||
| for _,s in ipairs(symbols_enabled) do | |||
| for _,sym in ipairs(symbols_enabled) do | |||
| rspamd_config:register_symbol{ | |||
| type = 'virtual,mime', | |||
| score = 1.0, | |||
| parent = id, | |||
| name = sym, | |||
| } | |||
| rspamd_config:set_metric_symbol({ | |||
| name = s, | |||
| name = sym, | |||
| score = 0.0, | |||
| group = 'hfilter' | |||
| }) | |||
Loading…