Steve Freegard
7 years ago
4 changed files with 33 additions and 5 deletions
+ 1
- 1
rules/mid.lua
View File
| @@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an | |||
| rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id) | |||
| rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID') | |||
| rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id) | |||
| rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') | |||
| rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') | |||
+ 22
- 0
rules/misc.lua
View File
| @@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = { | |||
| score = 0.0 | |||
| } | |||
| -- Requires freemail maps loaded in multimap | |||
| local function freemail_reply_neq_from(task) | |||
| local frt = task:get_symbol('FREEMAIL_REPLYTO') | |||
| local ff = task:get_symbol('FREEMAIL_FROM') | |||
| if (frt and ff and frt['options'] and ff['options'] and | |||
| frt['options'][1] ~= ff['options'][1]) | |||
| then | |||
| return true | |||
| end | |||
| return false | |||
| end | |||
| local freemail_reply_neq_from_id = rspamd_config:register_symbol({ | |||
| name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM', | |||
| type = 'callback', | |||
| callback = freemail_reply_neq_from, | |||
| description = 'Freemail From and Reply-To, but to different Freemail services', | |||
| score = 3.0 | |||
| }) | |||
| rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO') | |||
| rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM') | |||
+ 1
- 3
rules/regexp/compromised_hosts.lua
View File
| @@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = { | |||
| reconf['PHP_SCRIPT_ROOT'] = { | |||
| re = "X-PHP-Originating-Script=/^0:/Hi", | |||
| description = "PHP Script executed by root UID", | |||
| score = 2.0, | |||
| score = 1.0, | |||
| group = "compromised_hosts" | |||
| } | |||
| @@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = { | |||
| reconf['WP_COMPROMISED'] = { | |||
| re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui', | |||
| description = "URL that is pointing to a compromised WordPress installation", | |||
| score = 5.0, | |||
| group = "compromised_hosts" | |||
| } | |||
| reconf['PHP_XPS_PATTERN'] = { | |||
| re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi', | |||
| description = "Message contains X-PHP-Script pattern", | |||
| score = 5.0, | |||
| group = "compromised_hosts" | |||
| } | |||
+ 9
- 1
rules/regexp/headers.lua
View File
| @@ -828,7 +828,7 @@ reconf['HAS_INTERSPIRE_SIG'] = { | |||
| 'header_exists(X-Mailer-Sent-By)', | |||
| 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'), | |||
| description = "Has Interspire fingerprint", | |||
| score = 3.0, | |||
| score = 1.0, | |||
| group = 'header' | |||
| } | |||
| @@ -887,3 +887,11 @@ reconf['HAS_ORG_HEADER'] = { | |||
| score = 0.0, | |||
| group = 'headers' | |||
| } | |||
| reconf['X_PHPOS_FAKE'] = { | |||
| re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi', | |||
| description = 'Fake X-PHP-Originating-Script header', | |||
| score = 3.0, | |||
| group = 'headers' | |||
| } | |||
Loading…