mirror of
https://github.com/rspamd/rspamd.git
synced 2024-08-13 14:12:38 +02:00
Merge pull request #1205 from smfreegard/rules_161129
Adjust scores and add new rules
This commit is contained in:
commit
885333db66
@ -14,6 +14,124 @@
|
||||
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
|
||||
|
||||
multimap {
|
||||
# Freemail Addresses
|
||||
freemail_envfrom {
|
||||
type = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_ENVFROM";
|
||||
description = "Envelope From is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_envrcpt {
|
||||
type = "rcpt";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_ENVRCPT";
|
||||
description = "Envelope Recipient is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_from {
|
||||
type = "header";
|
||||
header = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_FROM";
|
||||
description = "From is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_to {
|
||||
type = "header";
|
||||
header = "To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_TO";
|
||||
description = "To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_cc {
|
||||
type = "header";
|
||||
header = "Cc";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_CC";
|
||||
description = "To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_replyto {
|
||||
type = "header";
|
||||
header = "Reply-To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_REPLYTO";
|
||||
description = "Reply-To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
# Disposable Addresses
|
||||
disposable_envfrom {
|
||||
type = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_ENVFROM";
|
||||
description = "Envelope From is a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_envrcpt {
|
||||
type = "rcpt";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_ENVRCPT";
|
||||
description = "Envelope Recipient is a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_from {
|
||||
type = "header";
|
||||
header = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_FROM";
|
||||
description = "From a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_to {
|
||||
type = "header";
|
||||
header = "To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_TO";
|
||||
description = "To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_cc {
|
||||
type = "header";
|
||||
header = "Cc";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_CC";
|
||||
description = "To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_replyto {
|
||||
type = "header";
|
||||
header = "Reply-To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_REPLYTO";
|
||||
description = "Reply-To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
.include(try=true,priority=5) "${DBDIR}/dynamic/multimap.conf"
|
||||
.include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/multimap.conf"
|
||||
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/multimap.conf"
|
||||
@ -48,122 +166,3 @@ url_tld_re {
|
||||
}
|
||||
*/
|
||||
|
||||
# Freemail Addresses
|
||||
|
||||
freemail_envfrom {
|
||||
type = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_ENVFROM";
|
||||
description = "Envelope From is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_envrcpt {
|
||||
type = "rcpt";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_ENVRCPT";
|
||||
description = "Envelope Recipient is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_from {
|
||||
type = "header";
|
||||
header = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_FROM";
|
||||
description = "From is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_to {
|
||||
type = "header";
|
||||
header = "To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_TO";
|
||||
description = "To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_cc {
|
||||
type = "header";
|
||||
header = "Cc";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_CC";
|
||||
description = "To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
freemail_replyto {
|
||||
type = "header";
|
||||
header = "Reply-To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/free.txt.zst";
|
||||
symbol = "FREEMAIL_REPLYTO";
|
||||
description = "Reply-To is a Freemail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
# Disposable Addresses
|
||||
|
||||
disposable_envfrom {
|
||||
type = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_ENVFROM";
|
||||
description = "Envelope From is a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_envrcpt {
|
||||
type = "rcpt";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_ENVRCPT";
|
||||
description = "Envelope Recipient is a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_from {
|
||||
type = "header";
|
||||
header = "from";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_FROM";
|
||||
description = "From a Disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_to {
|
||||
type = "header";
|
||||
header = "To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_TO";
|
||||
description = "To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_cc {
|
||||
type = "header";
|
||||
header = "Cc";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_CC";
|
||||
description = "To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
||||
disposable_replyto {
|
||||
type = "header";
|
||||
header = "Reply-To";
|
||||
filter = "email:domain";
|
||||
map = "https://rspamd.com/freemail/disposable.txt.zst";
|
||||
symbol = "DISPOSABLE_REPLYTO";
|
||||
description = "Reply-To a disposable e-mail address";
|
||||
score = 0.0;
|
||||
}
|
||||
|
@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an
|
||||
rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id)
|
||||
rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID')
|
||||
rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id)
|
||||
rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')
|
||||
rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')
|
||||
|
@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = {
|
||||
score = 0.0
|
||||
}
|
||||
|
||||
-- Requires freemail maps loaded in multimap
|
||||
local function freemail_reply_neq_from(task)
|
||||
local frt = task:get_symbol('FREEMAIL_REPLYTO')
|
||||
local ff = task:get_symbol('FREEMAIL_FROM')
|
||||
if (frt and ff and frt['options'] and ff['options'] and
|
||||
frt['options'][1] ~= ff['options'][1])
|
||||
then
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
local freemail_reply_neq_from_id = rspamd_config:register_symbol({
|
||||
name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM',
|
||||
type = 'callback',
|
||||
callback = freemail_reply_neq_from,
|
||||
description = 'Freemail From and Reply-To, but to different Freemail services',
|
||||
score = 3.0
|
||||
})
|
||||
rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO')
|
||||
rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM')
|
||||
|
||||
|
@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = {
|
||||
reconf['PHP_SCRIPT_ROOT'] = {
|
||||
re = "X-PHP-Originating-Script=/^0:/Hi",
|
||||
description = "PHP Script executed by root UID",
|
||||
score = 2.0,
|
||||
score = 1.0,
|
||||
group = "compromised_hosts"
|
||||
}
|
||||
|
||||
@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = {
|
||||
reconf['WP_COMPROMISED'] = {
|
||||
re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',
|
||||
description = "URL that is pointing to a compromised WordPress installation",
|
||||
score = 5.0,
|
||||
group = "compromised_hosts"
|
||||
}
|
||||
|
||||
reconf['PHP_XPS_PATTERN'] = {
|
||||
re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',
|
||||
description = "Message contains X-PHP-Script pattern",
|
||||
score = 5.0,
|
||||
group = "compromised_hosts"
|
||||
}
|
||||
|
||||
|
@ -821,7 +821,7 @@ reconf['HAS_INTERSPIRE_SIG'] = {
|
||||
'header_exists(X-Mailer-Sent-By)',
|
||||
'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
|
||||
description = "Has Interspire fingerprint",
|
||||
score = 3.0,
|
||||
score = 1.0,
|
||||
group = 'header'
|
||||
}
|
||||
|
||||
@ -835,7 +835,7 @@ reconf['CT_EXTRA_SEMI'] = {
|
||||
reconf['SUBJECT_ENDS_EXCLAIM'] = {
|
||||
re = 'Subject=/!\\s*$/H',
|
||||
description = 'Subject ends with an exclaimation',
|
||||
score = 1.0,
|
||||
score = 0.0,
|
||||
group = 'headers'
|
||||
}
|
||||
|
||||
@ -880,3 +880,11 @@ reconf['HAS_ORG_HEADER'] = {
|
||||
score = 0.0,
|
||||
group = 'headers'
|
||||
}
|
||||
|
||||
reconf['X_PHPOS_FAKE'] = {
|
||||
re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi',
|
||||
description = 'Fake X-PHP-Originating-Script header',
|
||||
score = 3.0,
|
||||
group = 'headers'
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user