|
|
@@ -17,7 +17,7 @@ limitations under the License. |
|
|
|
local function process_pdf_specific(task, part, specific) |
|
|
|
local suspicious_factor = 0 |
|
|
|
if specific.encrypted then |
|
|
|
task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename()) |
|
|
|
task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename() or 'unknown') |
|
|
|
suspicious_factor = suspicious_factor + 0.1 |
|
|
|
if specific.openaction then |
|
|
|
suspicious_factor = suspicious_factor + 0.5 |
|
|
@@ -25,7 +25,7 @@ local function process_pdf_specific(task, part, specific) |
|
|
|
end |
|
|
|
|
|
|
|
if specific.scripts then |
|
|
|
task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename()) |
|
|
|
task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename() or 'unknown') |
|
|
|
suspicious_factor = suspicious_factor + 0.1 |
|
|
|
end |
|
|
|
|
|
|
@@ -35,7 +35,16 @@ local function process_pdf_specific(task, part, specific) |
|
|
|
|
|
|
|
if suspicious_factor > 0.5 then |
|
|
|
if suspicious_factor > 1.0 then suspicious_factor = 1.0 end |
|
|
|
task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename()) |
|
|
|
task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename() or 'unknown') |
|
|
|
end |
|
|
|
|
|
|
|
if specific.long_trailer then |
|
|
|
task:insert_result('PDF_LONG_TRAILER', 1.0, string.format('%s:%d', |
|
|
|
part:get_filename() or 'unknown', specific.long_trailer)) |
|
|
|
end |
|
|
|
if specific.many_objects then |
|
|
|
task:insert_result('PDF_MANY_OBJECTS', 1.0, string.format('%s:%d', |
|
|
|
part:get_filename() or 'unknown', specific.many_objects)) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
@@ -83,3 +92,15 @@ rspamd_config:register_symbol{ |
|
|
|
parent = id, |
|
|
|
groups = {"content", "pdf"}, |
|
|
|
} |
|
|
|
rspamd_config:register_symbol{ |
|
|
|
type = 'virtual', |
|
|
|
name = 'PDF_LONG_TRAILER', |
|
|
|
parent = id, |
|
|
|
groups = {"content", "pdf"}, |
|
|
|
} |
|
|
|
rspamd_config:register_symbol{ |
|
|
|
type = 'virtual', |
|
|
|
name = 'PDF_MANY_OBJECTS', |
|
|
|
parent = id, |
|
|
|
groups = {"content", "pdf"}, |
|
|
|
} |