Vsevolod Stakhov
4 years ago
2 changed files with 49 additions and 18 deletions
+ 25
- 15
conf/scores.d/content_group.conf
View File
| @@ -18,20 +18,30 @@ | |||
| description = "Content rules"; | |||
| symbols = { | |||
| "PDF_ENCRYPTED" { | |||
| weight = 0.3; | |||
| description = "There is an encrypted PDF in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_JAVASCRIPT" { | |||
| weight = 0.1; | |||
| description = "There is an PDF with JavaScript in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_SUSPICIOUS" { | |||
| weight = 4.5; | |||
| description = "There is an PDF with suspicious properties in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_ENCRYPTED" { | |||
| weight = 0.3; | |||
| description = "There is an encrypted PDF in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_JAVASCRIPT" { | |||
| weight = 0.1; | |||
| description = "There is an PDF with JavaScript in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_SUSPICIOUS" { | |||
| weight = 4.5; | |||
| description = "There is an PDF with suspicious properties in the message"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_LONG_TRAILER" { | |||
| weight = 0.2; | |||
| description = "There is an PDF with a long trailer"; | |||
| one_shot = true; | |||
| } | |||
| "PDF_MANY_OBJECTS" { | |||
| weight = 0; | |||
| description = "There is a PDF file with too many objects"; | |||
| one_shot = true; | |||
| } | |||
| } | |||
+ 24
- 3
rules/content.lua
View File
| @@ -17,7 +17,7 @@ limitations under the License. | |||
| local function process_pdf_specific(task, part, specific) | |||
| local suspicious_factor = 0 | |||
| if specific.encrypted then | |||
| task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename()) | |||
| task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename() or 'unknown') | |||
| suspicious_factor = suspicious_factor + 0.1 | |||
| if specific.openaction then | |||
| suspicious_factor = suspicious_factor + 0.5 | |||
| @@ -25,7 +25,7 @@ local function process_pdf_specific(task, part, specific) | |||
| end | |||
| if specific.scripts then | |||
| task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename()) | |||
| task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename() or 'unknown') | |||
| suspicious_factor = suspicious_factor + 0.1 | |||
| end | |||
| @@ -35,7 +35,16 @@ local function process_pdf_specific(task, part, specific) | |||
| if suspicious_factor > 0.5 then | |||
| if suspicious_factor > 1.0 then suspicious_factor = 1.0 end | |||
| task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename()) | |||
| task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename() or 'unknown') | |||
| end | |||
| if specific.long_trailer then | |||
| task:insert_result('PDF_LONG_TRAILER', 1.0, string.format('%s:%d', | |||
| part:get_filename() or 'unknown', specific.long_trailer)) | |||
| end | |||
| if specific.many_objects then | |||
| task:insert_result('PDF_MANY_OBJECTS', 1.0, string.format('%s:%d', | |||
| part:get_filename() or 'unknown', specific.many_objects)) | |||
| end | |||
| end | |||
| @@ -83,3 +92,15 @@ rspamd_config:register_symbol{ | |||
| parent = id, | |||
| groups = {"content", "pdf"}, | |||
| } | |||
| rspamd_config:register_symbol{ | |||
| type = 'virtual', | |||
| name = 'PDF_LONG_TRAILER', | |||
| parent = id, | |||
| groups = {"content", "pdf"}, | |||
| } | |||
| rspamd_config:register_symbol{ | |||
| type = 'virtual', | |||
| name = 'PDF_MANY_OBJECTS', | |||
| parent = id, | |||
| groups = {"content", "pdf"}, | |||
| } | |||
Loading…