mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21213 Commits
28 Branches
Tree: 190e35ad67
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '190e35ad67'
${ noResults }
rspamd/src/plugins/lua/known_senders.lua

known_senders.lua 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406 
  1. --[[

  2. Copyright (c) 2023, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. -- This plugin implements known senders logic for Rspamd

  18. 

  19. local rspamd_logger = require "rspamd_logger"

  20. local ts = (require "tableshape").types

  21. local N = 'known_senders'

  22. local lua_util = require "lua_util"

  23. local lua_redis = require "lua_redis"

  24. local lua_maps = require "lua_maps"

  25. local rspamd_cryptobox_hash = require "rspamd_cryptobox_hash"

  26. 

  27. if confighelp then

  28.   rspamd_config:add_example(nil, 'known_senders',

  29.       "Maintain a list of known senders using Redis",

  30.       [[

  31. known_senders {

  32.   # Domains to track senders

  33.   domains = "https://maps.rspamd.com/freemail/free.txt.zst";

  34.   # Maximum number of elements

  35.   max_senders = 100000;

  36.   # Maximum time to live (when not using bloom filters)

  37.   max_ttl = 30d;

  38.   # Use bloom filters (must be enabled in Redis as a plugin)

  39.   use_bloom = false;

  40.   # Insert symbol for new senders from the specific domains

  41.   symbol_unknown = 'UNKNOWN_SENDER';

  42. }

  43.   ]])

  44.   return

  45. end

  46. 

  47. local redis_params

  48. local settings = {

  49.   domains = {},

  50.   max_senders = 100000,

  51.   max_ttl = 30 * 86400,

  52.   use_bloom = false,

  53.   symbol = 'KNOWN_SENDER',

  54.   symbol_unknown = 'UNKNOWN_SENDER',

  55.   symbol_check_mail_global = 'INC_MAIL_KNOWN_GLOBALLY',

  56.   symbol_check_mail_local = 'INC_MAIL_KNOWN_LOCALLY',

  57.   max_recipients = 15,

  58.   redis_key = 'rs_known_senders',

  59.   sender_prefix = 'rsrk',

  60.   sender_key_global = 'verified_senders',

  61.   sender_key_size = 20,

  62.   reply_sender_privacy = false,

  63.   reply_sender_privacy_alg = 'blake2',

  64.   reply_sender_privacy_prefix = 'obf',

  65.   reply_sender_privacy_length = 16,

  66. }

  67. 

  68. local settings_schema = lua_redis.enrich_schema({

  69.   domains = lua_maps.map_schema,

  70.   enabled = ts.boolean:is_optional(),

  71.   max_senders = (ts.integer + ts.string / tonumber):is_optional(),

  72.   max_ttl = (ts.integer + ts.string / tonumber):is_optional(),

  73.   use_bloom = ts.boolean:is_optional(),

  74.   redis_key = ts.string:is_optional(),

  75.   symbol = ts.string:is_optional(),

  76.   symbol_unknown = ts.string:is_optional(),

  77. })

  78. 

  79. local function make_key(input)

  80.   local hash = rspamd_cryptobox_hash.create_specific('md5')

  81.   hash:update(input.addr)

  82.   return hash:hex()

  83. end

  84. 

  85. local function make_key_replies(goop, sz, prefix)

  86.   local h = rspamd_cryptobox_hash.create()

  87.   h:update(goop)

  88.   local key = (prefix or '') .. h:base32():sub(1, sz)

  89.   return key

  90. end

  91. 

  92. local zscore_script_id

  93. 

  94. local function configure_scripts(_, _, _)

  95.   -- script checks if given recipients are in the local replies set of the sender

  96.   local redis_zscore_script = [[

  97.     local results = {}

  98.     local replies_recipients_addrs = {}

  99.     replies_recipients_addrs = ARGV

  100.     if replies_recipients_addrs ~= nil then

  101. 

  102.       for _, rcpt in ipairs(replies_recipients_addrs) do

  103.         local score = redis.call('ZSCORE', KEYS[1], rcpt)

  104. 

  105.         if type(score) == 'boolean' then

  106.           score = nil

  107.           table.insert(results, score)

  108.           -- 0 is stand for failure code

  109.           return { 0, results }

  110.         end

  111. 

  112.         table.insert(results, score)

  113.       end

  114. 

  115.       -- first number in return statement is stands for the success/failure code

  116.       -- where success code is 1 and failure code is 0

  117.       return { 1, results }

  118.     else

  119.     -- 0 is a failure code

  120.       return { 0, results }

  121.     end

  122.   ]]

  123.   local zscore_script = lua_util.jinja_template(redis_zscore_script, {  })

  124.   rspamd_logger.debugm(N, rspamd_config, 'added check for recipients in local replies set script %s', zscore_script)

  125.   zscore_script_id = lua_redis.add_redis_script(zscore_script, redis_params)

  126. end

  127. 

  128. local function check_redis_key(task, key, key_ty)

  129.   lua_util.debugm(N, task, 'check key %s, type: %s', key, key_ty)

  130.   local function redis_zset_callback(err, data)

  131.     lua_util.debugm(N, task, 'got data: %s', data)

  132.     if err then

  133.       rspamd_logger.errx(task, 'redis error: %s', err)

  134.     elseif data then

  135.       if type(data) ~= 'userdata' then

  136.         -- non-null reply

  137.         task:insert_result(settings.symbol, 1.0, string.format("%s:%s", key_ty, key))

  138.       else

  139.         if settings.symbol_unknown then

  140.           task:insert_result(settings.symbol_unknown, 1.0, string.format("%s:%s", key_ty, key))

  141.         end

  142.         lua_util.debugm(N, task, 'insert key %s, type: %s', key, key_ty)

  143.         -- Insert key to zset and trim it's cardinality

  144.         lua_redis.redis_make_request(task,

  145.             redis_params, -- connect params

  146.             key, -- hash key

  147.             true, -- is write

  148.             nil, --callback

  149.             'ZADD', -- command

  150.             { settings.redis_key, tostring(task:get_timeval(true)), key } -- arguments

  151.         )

  152.         lua_redis.redis_make_request(task,

  153.             redis_params, -- connect params

  154.             key, -- hash key

  155.             true, -- is write

  156.             nil, --callback

  157.             'ZREMRANGEBYRANK', -- command

  158.             { settings.redis_key, '0',

  159.               tostring(-(settings.max_senders + 1)) } -- arguments

  160.         )

  161.       end

  162.     end

  163.   end

  164. 

  165.   local function redis_bloom_callback(err, data)

  166.     lua_util.debugm(N, task, 'got data: %s', data)

  167.     if err then

  168.       rspamd_logger.errx(task, 'redis error: %s', err)

  169.     elseif data then

  170.       if type(data) ~= 'userdata' and data == 1 then

  171.         -- non-null reply equal to `1`

  172.         task:insert_result(settings.symbol, 1.0, string.format("%s:%s", key_ty, key))

  173.       else

  174.         if settings.symbol_unknown then

  175.           task:insert_result(settings.symbol_unknown, 1.0, string.format("%s:%s", key_ty, key))

  176.         end

  177.         lua_util.debugm(N, task, 'insert key %s, type: %s', key, key_ty)

  178.         -- Reserve bloom filter space

  179.         lua_redis.redis_make_request(task,

  180.             redis_params, -- connect params

  181.             key, -- hash key

  182.             true, -- is write

  183.             nil, --callback

  184.             'BF.RESERVE', -- command

  185.             { settings.redis_key, tostring(settings.max_senders), '0.01', '1000', 'NONSCALING' } -- arguments

  186.         )

  187.         -- Insert key and adjust bloom filter

  188.         lua_redis.redis_make_request(task,

  189.             redis_params, -- connect params

  190.             key, -- hash key

  191.             true, -- is write

  192.             nil, --callback

  193.             'BF.ADD', -- command

  194.             { settings.redis_key, key } -- arguments

  195.         )

  196.       end

  197.     end

  198.   end

  199. 

  200.   if settings.use_bloom then

  201.     lua_redis.redis_make_request(task,

  202.         redis_params, -- connect params

  203.         key, -- hash key

  204.         false, -- is write

  205.         redis_bloom_callback, --callback

  206.         'BF.EXISTS', -- command

  207.         { settings.redis_key, key } -- arguments

  208.     )

  209.   else

  210.     lua_redis.redis_make_request(task,

  211.         redis_params, -- connect params

  212.         key, -- hash key

  213.         false, -- is write

  214.         redis_zset_callback, --callback

  215.         'ZSCORE', -- command

  216.         { settings.redis_key, key } -- arguments

  217.     )

  218.   end

  219. end

  220. 

  221. local function known_senders_callback(task)

  222.   local mime_from = (task:get_from('mime') or {})[1]

  223.   local smtp_from = (task:get_from('smtp') or {})[1]

  224.   local mime_key, smtp_key

  225.   if mime_from and mime_from.addr then

  226.     if settings.domains:get_key(mime_from.domain) then

  227.       mime_key = make_key(mime_from)

  228.     else

  229.       lua_util.debugm(N, task, 'skip mime from domain %s', mime_from.domain)

  230.     end

  231.   end

  232.   if smtp_from and smtp_from.addr then

  233.     if settings.domains:get_key(smtp_from.domain) then

  234.       smtp_key = make_key(smtp_from)

  235.     else

  236.       lua_util.debugm(N, task, 'skip smtp from domain %s', smtp_from.domain)

  237.     end

  238.   end

  239. 

  240.   if mime_key and smtp_key and mime_key ~= smtp_key then

  241.     -- Check both keys

  242.     check_redis_key(task, mime_key, 'mime')

  243.     check_redis_key(task, smtp_key, 'smtp')

  244.   elseif mime_key then

  245.     -- Check mime key

  246.     check_redis_key(task, mime_key, 'mime')

  247.   elseif smtp_key then

  248.     -- Check smtp key

  249.     check_redis_key(task, smtp_key, 'smtp')

  250.   end

  251. end

  252. 

  253. local function verify_local_replies_set(task)

  254.   local replies_sender = task:get_reply_sender()

  255.   if not replies_sender then

  256.     lua_util.debugm(N, task, 'Could not get sender')

  257.     return nil

  258.   end

  259. 

  260.   local replies_recipients = task:get_recipients('mime')

  261. 

  262.   local replies_sender_string = lua_util.maybe_obfuscate_string(tostring(replies_sender), settings, settings.sender_prefix)

  263.   local replies_sender_key = make_key_replies(replies_sender_string:lower(), 8)

  264. 

  265.   local function redis_zscore_script_cb(err, data)

  266.     if err ~= nil then

  267.       rspamd_logger.errx(task, 'Could not verify %s local replies set %s', replies_sender_key, err)

  268.     end

  269.     if data[1] ~= 1 then

  270.       rspamd_logger.infox(task, 'Recipients was not verified')

  271.     else

  272.       rspamd_logger.infox(task, 'Recipients was verified')

  273.       task:insert_result(settings.symbol_check_mail_local, 1.0, replies_sender_key)

  274.     end

  275.   end

  276. 

  277.   local replies_recipients_addrs = {}

  278. 

  279.   -- assigning addresses of recipients for params and limiting number of recipients to be checked

  280.   for i, rcpt in ipairs(replies_recipients) do

  281.     if i > settings['max_recipients'] then

  282.       break

  283.     end

  284.     table.insert(replies_recipients_addrs, rcpt.addr)

  285.   end

  286. 

  287.   lua_util.debugm(N, task, 'Making redis request to local replies set')

  288.   lua_redis.exec_redis_script(zscore_script_id,

  289.           {task = task, is_write = true},

  290.           redis_zscore_script_cb,

  291.           { replies_sender_key },

  292.           replies_recipients_addrs  )

  293. end

  294. 

  295. local function check_known_incoming_mail_callback(task)

  296.   local replies_sender = task:get_reply_sender()

  297.   if not replies_sender then

  298.     lua_util.debugm(N, task, 'Could not get sender')

  299.     return nil

  300.   end

  301. 

  302.   -- making sender key

  303.   lua_util.debugm(N, task, 'Sender: %s', replies_sender)

  304. 

  305.   local replies_sender_string = lua_util.maybe_obfuscate_string(tostring(replies_sender), settings, settings.sender_prefix)

  306.   local replies_sender_key = make_key_replies(replies_sender_string:lower(), 8)

  307. 

  308.   lua_util.debugm(N, task, 'Sender key: %s', replies_sender_key)

  309. 

  310.   local function redis_zscore_global_cb(err, data)

  311.     if err ~= nil then

  312.       rspamd_logger.errx(task, 'Couldn\'t find sender %s in global replies set. Ended with error: %s', replies_sender, err)

  313.       return

  314.     end

  315. 

  316.     --checking if zcore have not found score of a sender

  317.     if data ~= nil and data ~= '' and type(data) ~= 'userdata' then

  318.       rspamd_logger.infox(task, 'Sender: %s verified. Output: %s', replies_sender, data)

  319.       task:insert_result(settings.symbol_check_mail_global, 1.0, replies_sender)

  320.     else

  321.       rspamd_logger.infox(task, 'Sender: %s was not verified', replies_sender)

  322.     end

  323.   end

  324. 

  325.   -- key for global replies set

  326.   local replies_global_key = make_key_replies(settings.sender_key_global, settings.sender_key_size, settings.sender_prefix)

  327. 

  328.   -- using zscore to find sender in global set

  329.   lua_util.debugm(N, task, 'Making redis request to global replies set')

  330.   lua_redis.redis_make_request(task,

  331.           redis_params, -- connect params

  332.           replies_sender_key, -- hash key

  333.           false, -- is write

  334.           redis_zscore_global_cb, --callback

  335.           'ZSCORE', -- command

  336.           { replies_global_key, replies_sender } -- arguments

  337.   )

  338. end

  339. 

  340. local opts = rspamd_config:get_all_opt('known_senders')

  341. if opts then

  342.   settings = lua_util.override_defaults(settings, opts)

  343.   local res, err = settings_schema:transform(settings)

  344.   if not res then

  345.     rspamd_logger.errx(rspamd_config, 'cannot parse known_senders options: %1', err)

  346.   else

  347.     settings = res

  348.   end

  349.   redis_params = lua_redis.parse_redis_server(N, opts)

  350. 

  351.   if redis_params then

  352.     local map_conf = settings.domains

  353.     settings.domains = lua_maps.map_add_from_ucl(settings.domains,

  354.             'set', 'domains to track senders from')

  355.     if not settings.domains then

  356.       rspamd_logger.errx(rspamd_config, "couldn't add map %s, disable module",

  357.           map_conf)

  358.       lua_util.disable_module(N, "config")

  359.       return

  360.     end

  361.     lua_redis.register_prefix(settings.redis_key, N,

  362.         'Known elements redis key', {

  363.           type = 'zset/bloom filter',

  364.         })

  365.     lua_redis.register_prefix(settings.sender_prefix, N,

  366.         'Prefix to identify replies sets')

  367.     local id = rspamd_config:register_symbol({

  368.       name = settings.symbol,

  369.       type = 'normal',

  370.       callback = known_senders_callback,

  371.       one_shot = true,

  372.       score = -1.0,

  373.       augmentations = { string.format("timeout=%f", redis_params.timeout or 0.0) }

  374.     })

  375. 

  376.     rspamd_config:register_symbol({

  377.       name = settings.symbol_check_mail_local,

  378.       type = 'normal',

  379.       callback = verify_local_replies_set,

  380.       score = 1.0

  381.     })

  382. 

  383.     rspamd_config:register_symbol({

  384.       name = settings.symbol_check_mail_global,

  385.       type = 'normal',

  386.       callback = check_known_incoming_mail_callback,

  387.       score = 1.0

  388.     })

  389. 

  390.     if settings.symbol_unknown and #settings.symbol_unknown > 0 then

  391.       rspamd_config:register_symbol({

  392.         name = settings.symbol_unknown,

  393.         type = 'virtual',

  394.         parent = id,

  395.         one_shot = true,

  396.         score = 0.5,

  397.       })

  398.     end

  399.   else

  400.     lua_util.disable_module(N, "redis")

  401.   end

  402. end

  403. 

  404. rspamd_config:add_post_init(function(cfg, ev_base, worker)

  405.   configure_scripts(cfg, ev_base, worker)

  406. end)