mirrors
/
rspamd
ミラー元 https://github.com/vstakhov/rspamd.git
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 リリース 159 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
14015 コミット
28 ブランチ
ツリー: 110f02f449
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'110f02f449' から
${ noResults }
rspamd/rules/html.lua

html.lua 12KB
Raw Blame 履歴

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434 
  1. -- Licensed to the Apache Software Foundation (ASF) under one or more

  2. -- contributor license agreements.  See the NOTICE file distributed with

  3. -- this work for additional information regarding copyright ownership.

  4. -- The ASF licenses this file to you under the Apache License, Version 2.0

  5. -- (the "License"); you may not use this file except in compliance with

  6. -- the License.  You may obtain a copy of the License at:

  7. --

  8. --     http://www.apache.org/licenses/LICENSE-2.0

  9. --

  10. -- Unless required by applicable law or agreed to in writing, software

  11. -- distributed under the License is distributed on an "AS IS" BASIS,

  12. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. -- See the License for the specific language governing permissions and

  14. -- limitations under the License.

  15. 

  16. local reconf = config['regexp']

  17. 

  18. -- Messages that have only HTML part

  19. reconf['MIME_HTML_ONLY'] = {

  20.   re = 'has_only_html_part()',

  21.   score = 0.2,

  22.   description = 'Messages that have only HTML part',

  23.   group = 'headers'

  24. }

  25. 

  26. local function check_html_image(task, min, max)

  27.   local tp = task:get_text_parts()

  28. 

  29.   for _,p in ipairs(tp) do

  30.     if p:is_html() then

  31.       local hc = p:get_html()

  32.       local len = p:get_length()

  33. 

  34. 

  35.       if hc and len >= min and len < max then

  36.         local images = hc:get_images()

  37.         if images then

  38.           for _,i in ipairs(images) do

  39.             local tag = i['tag']

  40.             if tag then

  41.               local parent = tag:get_parent()

  42.               if parent then

  43.                 if parent:get_type() == 'a' then

  44.                   -- do not trigger on small and unknown size images

  45.                   if i['height'] + i['width'] >= 210 or not i['embedded'] then

  46.                     return true

  47.                   end

  48.                 end

  49.               end

  50.             end

  51.           end

  52.         end

  53.       end

  54.     end

  55.   end

  56. end

  57. 

  58. rspamd_config.HTML_SHORT_LINK_IMG_1 = {

  59.   callback = function(task)

  60.     return check_html_image(task, 0, 1024)

  61.   end,

  62.   score = 2.0,

  63.   group = 'html',

  64.   description = 'Short html part (0..1K) with a link to an image'

  65. }

  66. 

  67. rspamd_config.HTML_SHORT_LINK_IMG_2 = {

  68.   callback = function(task)

  69.     return check_html_image(task, 1024, 1536)

  70.   end,

  71.   score = 1.0,

  72.   group = 'html',

  73.   description = 'Short html part (1K..1.5K) with a link to an image'

  74. }

  75. 

  76. rspamd_config.HTML_SHORT_LINK_IMG_3 = {

  77.   callback = function(task)

  78.     return check_html_image(task, 1536, 2048)

  79.   end,

  80.   score = 0.5,

  81.   group = 'html',

  82.   description = 'Short html part (1.5K..2K) with a link to an image'

  83. }

  84. rspamd_config.R_EMPTY_IMAGE = {

  85.   callback = function(task)

  86.     local tp = task:get_text_parts() -- get text parts in a message

  87. 

  88.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  89.       if p:is_html() then -- if the current part is html part

  90.         local hc = p:get_html() -- we get HTML context

  91.         local len = p:get_length() -- and part's length

  92. 

  93.         if hc and len < 50 then -- if we have a part that has less than 50 bytes of text

  94.           local images = hc:get_images() -- then we check for HTML images

  95. 

  96.           if images then -- if there are images

  97.             for _,i in ipairs(images) do -- then iterate over images in the part

  98.               if i['height'] + i['width'] >= 400 then -- if we have a large image

  99.                 local tag = i['tag']

  100.                 if tag then

  101.                   local parent = tag:get_parent()

  102.                   if parent then

  103.                     if parent:get_type() ~= 'a' then

  104.                       return true

  105.                     end

  106.                   end

  107.                 end

  108.               end

  109.             end

  110.           end

  111.         end

  112.       end

  113.     end

  114.   end,

  115. 

  116.   score = 2.0,

  117.   group = 'html',

  118.   description = 'Message contains empty parts and image'

  119. }

  120. 

  121. rspamd_config.R_SUSPICIOUS_IMAGES = {

  122.   callback = function(task)

  123.     local tp = task:get_text_parts() -- get text parts in a message

  124. 

  125.     for _, p in ipairs(tp) do

  126.       local h = p:get_html()

  127. 

  128.       if h then

  129.         local l = p:get_words_count()

  130.         local img = h:get_images()

  131.         local pic_words = 0

  132. 

  133.         if img then

  134.           for _, i in ipairs(img) do

  135.             local dim = i['width'] + i['height']

  136.             local tag = i['tag']

  137. 

  138.             if tag then

  139.               local parent = tag:get_parent()

  140.               if parent then

  141.                 if parent:get_type() == 'a' then

  142.                   -- do not trigger on small and large images

  143.                   if dim > 100 and dim < 3000 then

  144.                     -- We assume that a single picture 100x200 contains approx 3 words of text

  145.                     pic_words = pic_words + dim / 100

  146.                   end

  147.                 end

  148.               end

  149.             end

  150.           end

  151.         end

  152. 

  153.         if l + pic_words > 0 then

  154.           local rel = pic_words / (l + pic_words)

  155. 

  156.           if rel > 0.5 then

  157.             return true, (rel - 0.5) * 2

  158.           end

  159.         end

  160.       end

  161.     end

  162. 

  163.     return false

  164.   end,

  165. 

  166.   score = 5.0,

  167.   group = 'html',

  168.   description = 'Message contains many suspicious messages'

  169. }

  170. 

  171. local vis_check_id = rspamd_config:register_symbol{

  172.   name = 'HTML_VISIBLE_CHECKS',

  173.   type = 'callback',

  174.   group = 'html',

  175.   callback = function(task)

  176.     --local logger = require "rspamd_logger"

  177.     local tp = task:get_text_parts() -- get text parts in a message

  178.     local ret = false

  179.     local diff = 0.0

  180.     local transp_rate = 0

  181.     local invisible_blocks = 0

  182.     local zero_size_blocks = 0

  183.     local arg

  184. 

  185.     local normal_len = 0

  186.     local transp_len = 0

  187. 

  188.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  189.       normal_len = normal_len + p:get_length()

  190.       if p:is_html() and p:get_html() then -- if the current part is html part

  191.         local hc = p:get_html() -- we get HTML context

  192. 

  193.         hc:foreach_tag({'font', 'span', 'div', 'p', 'td'}, function(tag)

  194.           local bl = tag:get_extra()

  195.           if bl then

  196.             if not bl['visible'] then

  197.               invisible_blocks = invisible_blocks + 1

  198.             end

  199. 

  200.             if bl['font_size'] and bl['font_size'] == 0 then

  201.               zero_size_blocks = zero_size_blocks + 1

  202.             end

  203. 

  204.             if bl['bgcolor'] and bl['color'] and bl['visible'] then

  205. 

  206.               local color = bl['color']

  207.               local bgcolor = bl['bgcolor']

  208.               -- Should use visual approach here some day

  209.               local diff_r = math.abs(color[1] - bgcolor[1])

  210.               local diff_g = math.abs(color[2] - bgcolor[2])

  211.               local diff_b = math.abs(color[3] - bgcolor[3])

  212.               local r_avg = (color[1] + bgcolor[1]) / 2.0

  213.               -- Square

  214.               diff_r = diff_r * diff_r

  215.               diff_g = diff_g * diff_g

  216.               diff_b = diff_b * diff_b

  217. 

  218.               diff = math.sqrt(2*diff_r + 4*diff_g + 3 * diff_b +

  219.                   (r_avg * (diff_r - diff_b) / 256.0))

  220.               diff = diff / 256.0

  221. 

  222.               if diff < 0.1 then

  223.                 ret = true

  224.                 local content_len = #(tag:get_content() or {})

  225.                 invisible_blocks = invisible_blocks + 1 -- This block is invisible

  226.                 transp_len = transp_len + content_len * (0.1 - diff) * 10.0

  227.                 normal_len = normal_len - content_len

  228.                 local tr = transp_len / (normal_len + transp_len)

  229.                 if tr > transp_rate then

  230.                   transp_rate = tr

  231.                   arg = string.format('%s color #%x%x%x bgcolor #%x%x%x',

  232.                     tostring(tag:get_type()),

  233.                     color[1], color[2], color[3],

  234.                     bgcolor[1], bgcolor[2], bgcolor[3])

  235.                 end

  236.               end

  237.             end

  238.           end

  239. 

  240.           return false -- Continue search

  241.         end)

  242. 

  243.       end

  244.     end

  245. 

  246.     if ret then

  247.       transp_rate = transp_len / (normal_len + transp_len)

  248. 

  249.       if transp_rate > 0.1 then

  250.         if transp_rate > 0.5 or transp_rate ~= transp_rate then

  251.           transp_rate = 0.5

  252.         end

  253. 

  254.         task:insert_result('R_WHITE_ON_WHITE', (transp_rate * 2.0), arg)

  255.       end

  256.     end

  257. 

  258.     if invisible_blocks > 0 then

  259.       if invisible_blocks > 10 then

  260.         invisible_blocks = 10

  261.       end

  262.       local rates = { -- From 1 to 10

  263.         0.05,

  264.         0.1,

  265.         0.2,

  266.         0.3,

  267.         0.4,

  268.         0.5,

  269.         0.6,

  270.         0.7,

  271.         0.8,

  272.         1.0,

  273.       }

  274.       task:insert_result('MANY_INVISIBLE_PARTS', rates[invisible_blocks],

  275.           tostring(invisible_blocks))

  276.     end

  277. 

  278.     if zero_size_blocks > 0 then

  279.       if zero_size_blocks > 5 then

  280.         if zero_size_blocks > 10 then

  281.           -- Full score

  282.           task:insert_result('ZERO_FONT', 1.0,

  283.               tostring(zero_size_blocks))

  284.         else

  285.           zero_size_blocks = 5

  286.         end

  287.       end

  288. 

  289.       if zero_size_blocks <= 5 then

  290.         local rates = { -- From 1 to 5

  291.           0.1,

  292.           0.2,

  293.           0.2,

  294.           0.3,

  295.           0.5,

  296.         }

  297.         task:insert_result('ZERO_FONT', rates[zero_size_blocks],

  298.             tostring(zero_size_blocks))

  299.       end

  300.     end

  301.   end,

  302. }

  303. 

  304. rspamd_config:register_symbol{

  305.   type = 'virtual',

  306.   parent = vis_check_id,

  307.   name = 'R_WHITE_ON_WHITE',

  308.   description = 'Message contains low contrast text',

  309.   score = 4.0,

  310.   group = 'html',

  311.   one_shot = true,

  312. }

  313. 

  314. rspamd_config:register_symbol{

  315.   type = 'virtual',

  316.   parent = vis_check_id,

  317.   name = 'ZERO_FONT',

  318.   description = 'Zero sized font used',

  319.   score = 1.0, -- Reached if more than 5 elements have zero size

  320.   one_shot = true,

  321.   group = 'html'

  322. }

  323. 

  324. rspamd_config:register_symbol{

  325.   type = 'virtual',

  326.   parent = vis_check_id,

  327.   name = 'MANY_INVISIBLE_PARTS',

  328.   description = 'Many parts are visually hidden',

  329.   score = 1.0, -- Reached if more than 10 elements are hidden

  330.   one_shot = true,

  331.   group = 'html'

  332. }

  333. 

  334. rspamd_config.EXT_CSS = {

  335.   callback = function(task)

  336.     local regexp_lib = require "rspamd_regexp"

  337.     local re = regexp_lib.create_cached('/^.*\\.css(?:[?#].*)?$/i')

  338.     local tp = task:get_text_parts() -- get text parts in a message

  339.     local ret = false

  340.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  341.       if p:is_html() and p:get_html() then -- if the current part is html part

  342.         local hc = p:get_html() -- we get HTML context

  343.         hc:foreach_tag({'link'}, function(tag)

  344.           local bl = tag:get_extra()

  345.           if bl then

  346.             local s = tostring(bl)

  347.             if s and re:match(s) then

  348.               ret = true

  349.             end

  350.           end

  351. 

  352.           return ret -- Continue search

  353.         end)

  354. 

  355.       end

  356.     end

  357. 

  358.     return ret

  359.   end,

  360. 

  361.   score = 1.0,

  362.   group = 'html',

  363.   description = 'Message contains external CSS reference'

  364. }

  365. 

  366. rspamd_config.HTTP_TO_HTTPS = {

  367.   callback = function(task)

  368.     local tp = task:get_text_parts()

  369.     if (not tp) then return false end

  370.     for _,p in ipairs(tp) do

  371.       if p:is_html() then

  372.         local hc = p:get_html()

  373.         if (not hc) then return false end

  374.         local found = false

  375.         hc:foreach_tag('a', function (tag, length)

  376.           -- Skip this loop if we already have a match

  377.           if (found) then return true end

  378.           local c = tag:get_content()

  379.           if (c) then

  380.             c = tostring(c):lower()

  381.             if (not c:match('^http')) then return false end

  382.             local u = tag:get_extra()

  383.             if (not u) then return false end

  384.             u = tostring(u):lower()

  385.             if (not u:match('^http')) then return false end

  386.             if ((c:match('^http:') and u:match('^https:')) or

  387.                 (c:match('^https:') and u:match('^http:')))

  388.             then

  389.               found = true

  390.               return true

  391.             end

  392.           end

  393.           return false

  394.         end)

  395.         if (found) then return true end

  396.         return false

  397.       end

  398.     end

  399.     return false

  400.   end,

  401.   description = 'Anchor text contains different scheme to target URL',

  402.   score = 2.0,

  403.   group = 'html'

  404. }

  405. 

  406. rspamd_config.HTTP_TO_IP = {

  407.   callback = function(task)

  408.     local tp = task:get_text_parts()

  409.     if (not tp) then return false end

  410.     for _,p in ipairs(tp) do

  411.       if p:is_html() then

  412.         local hc = p:get_html()

  413.         if (not hc) then return false end

  414.         local found = false

  415.         hc:foreach_tag('a', function (tag, length)

  416.           if (found) then return true end

  417.           local u = tag:get_extra()

  418.           if (u) then

  419.             u = tostring(u):lower()

  420.             if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then

  421.               found = true

  422.             end

  423.           end

  424.           return false

  425.         end)

  426.         if found then return true end

  427.         return false

  428.       end

  429.     end

  430.   end,

  431.   description = 'Anchor points to an IP address',

  432.   score = 1.0,

  433.   group = 'html'

  434. }