mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12717 Commits
30 Branches
Tree: 19b524dc47
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '19b524dc47'
${ noResults }
rspamd/rules/html.lua

html.lua 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433 
  1. -- Licensed to the Apache Software Foundation (ASF) under one or more

  2. -- contributor license agreements.  See the NOTICE file distributed with

  3. -- this work for additional information regarding copyright ownership.

  4. -- The ASF licenses this file to you under the Apache License, Version 2.0

  5. -- (the "License"); you may not use this file except in compliance with

  6. -- the License.  You may obtain a copy of the License at:

  7. --

  8. --     http://www.apache.org/licenses/LICENSE-2.0

  9. --

  10. -- Unless required by applicable law or agreed to in writing, software

  11. -- distributed under the License is distributed on an "AS IS" BASIS,

  12. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. -- See the License for the specific language governing permissions and

  14. -- limitations under the License.

  15. 

  16. local reconf = config['regexp']

  17. 

  18. -- Messages that have only HTML part

  19. reconf['MIME_HTML_ONLY'] = {

  20.   re = 'has_only_html_part()',

  21.   score = 0.2,

  22.   description = 'Messages that have only HTML part',

  23.   group = 'headers'

  24. }

  25. 

  26. local function check_html_image(task, min, max)

  27.   local tp = task:get_text_parts()

  28. 

  29.   for _,p in ipairs(tp) do

  30.     if p:is_html() then

  31.       local hc = p:get_html()

  32.       local len = p:get_length()

  33. 

  34. 

  35.       if hc and len >= min and len < max then

  36.         local images = hc:get_images()

  37.         if images then

  38.           for _,i in ipairs(images) do

  39.             local tag = i['tag']

  40.             if tag then

  41.               local parent = tag:get_parent()

  42.               if parent then

  43.                 if parent:get_type() == 'a' then

  44.                   -- do not trigger on small and unknown size images

  45.                   if i['height'] + i['width'] >= 210 or not i['embedded'] then

  46.                     return true

  47.                   end

  48.                 end

  49.               end

  50.             end

  51.           end

  52.         end

  53.       end

  54.     end

  55.   end

  56. end

  57. 

  58. rspamd_config.HTML_SHORT_LINK_IMG_1 = {

  59.   callback = function(task)

  60.     return check_html_image(task, 0, 1024)

  61.   end,

  62.   score = 2.0,

  63.   group = 'html',

  64.   description = 'Short html part (0..1K) with a link to an image'

  65. }

  66. 

  67. rspamd_config.HTML_SHORT_LINK_IMG_2 = {

  68.   callback = function(task)

  69.     return check_html_image(task, 1024, 1536)

  70.   end,

  71.   score = 1.0,

  72.   group = 'html',

  73.   description = 'Short html part (1K..1.5K) with a link to an image'

  74. }

  75. 

  76. rspamd_config.HTML_SHORT_LINK_IMG_3 = {

  77.   callback = function(task)

  78.     return check_html_image(task, 1536, 2048)

  79.   end,

  80.   score = 0.5,

  81.   group = 'html',

  82.   description = 'Short html part (1.5K..2K) with a link to an image'

  83. }

  84. rspamd_config.R_EMPTY_IMAGE = {

  85.   callback = function(task)

  86.     local tp = task:get_text_parts() -- get text parts in a message

  87. 

  88.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  89.       if p:is_html() then -- if the current part is html part

  90.         local hc = p:get_html() -- we get HTML context

  91.         local len = p:get_length() -- and part's length

  92. 

  93.         if hc and len < 50 then -- if we have a part that has less than 50 bytes of text

  94.           local images = hc:get_images() -- then we check for HTML images

  95. 

  96.           if images then -- if there are images

  97.             for _,i in ipairs(images) do -- then iterate over images in the part

  98.               if i['height'] + i['width'] >= 400 then -- if we have a large image

  99.                 local tag = i['tag']

  100.                 if tag then

  101.                   local parent = tag:get_parent()

  102.                   if parent then

  103.                     if parent:get_type() ~= 'a' then

  104.                       return true

  105.                     end

  106.                   end

  107.                 end

  108.               end

  109.             end

  110.           end

  111.         end

  112.       end

  113.     end

  114.   end,

  115. 

  116.   score = 2.0,

  117.   group = 'html',

  118.   description = 'Message contains empty parts and image'

  119. }

  120. 

  121. rspamd_config.R_SUSPICIOUS_IMAGES = {

  122.   callback = function(task)

  123.     local tp = task:get_text_parts() -- get text parts in a message

  124. 

  125.     for _, p in ipairs(tp) do

  126.       local h = p:get_html()

  127. 

  128.       if h then

  129.         local l = p:get_words_count()

  130.         local img = h:get_images()

  131.         local pic_words = 0

  132. 

  133.         if img then

  134.           for _, i in ipairs(img) do

  135.             local dim = i['width'] + i['height']

  136.             local tag = i['tag']

  137. 

  138.             if tag then

  139.               local parent = tag:get_parent()

  140.               if parent then

  141.                 if parent:get_type() == 'a' then

  142.                   -- do not trigger on small and large images

  143.                   if dim > 100 and dim < 3000 then

  144.                     -- We assume that a single picture 100x200 contains approx 3 words of text

  145.                     pic_words = pic_words + dim / 100

  146.                   end

  147.                 end

  148.               end

  149.             end

  150.           end

  151.         end

  152. 

  153.         if l + pic_words > 0 then

  154.           local rel = pic_words / (l + pic_words)

  155. 

  156.           if rel > 0.5 then

  157.             return true, (rel - 0.5) * 2

  158.           end

  159.         end

  160.       end

  161.     end

  162. 

  163.     return false

  164.   end,

  165. 

  166.   score = 5.0,

  167.   group = 'html',

  168.   description = 'Message contains many suspicious messages'

  169. }

  170. 

  171. local vis_check_id = rspamd_config:register_symbol{

  172.   name = 'HTML_VISIBLE_CHECKS',

  173.   type = 'callback',

  174.   callback = function(task)

  175.     --local logger = require "rspamd_logger"

  176.     local tp = task:get_text_parts() -- get text parts in a message

  177.     local ret = false

  178.     local diff = 0.0

  179.     local transp_rate = 0

  180.     local invisible_blocks = 0

  181.     local zero_size_blocks = 0

  182.     local arg

  183. 

  184.     local normal_len = 0

  185.     local transp_len = 0

  186. 

  187.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  188.       normal_len = normal_len + p:get_length()

  189.       if p:is_html() and p:get_html() then -- if the current part is html part

  190.         local hc = p:get_html() -- we get HTML context

  191. 

  192.         hc:foreach_tag({'font', 'span', 'div', 'p', 'td'}, function(tag)

  193.           local bl = tag:get_extra()

  194.           if bl then

  195.             if not bl['visible'] then

  196.               invisible_blocks = invisible_blocks + 1

  197.             end

  198. 

  199.             if bl['font_size'] and bl['font_size'] == 0 then

  200.               zero_size_blocks = zero_size_blocks + 1

  201.             end

  202. 

  203.             if bl['bgcolor'] and bl['color'] and bl['visible'] then

  204. 

  205.               local color = bl['color']

  206.               local bgcolor = bl['bgcolor']

  207.               -- Should use visual approach here some day

  208.               local diff_r = math.abs(color[1] - bgcolor[1])

  209.               local diff_g = math.abs(color[2] - bgcolor[2])

  210.               local diff_b = math.abs(color[3] - bgcolor[3])

  211.               local r_avg = (color[1] + bgcolor[1]) / 2.0

  212.               -- Square

  213.               diff_r = diff_r * diff_r

  214.               diff_g = diff_g * diff_g

  215.               diff_b = diff_b * diff_b

  216. 

  217.               diff = math.sqrt(2*diff_r + 4*diff_g + 3 * diff_b +

  218.                   (r_avg * (diff_r - diff_b) / 256.0))

  219.               diff = diff / 256.0

  220. 

  221.               if diff < 0.1 then

  222.                 ret = true

  223.                 local content_len = #(tag:get_content() or {})

  224.                 invisible_blocks = invisible_blocks + 1 -- This block is invisible

  225.                 transp_len = transp_len + content_len * (0.1 - diff) * 10.0

  226.                 normal_len = normal_len - content_len

  227.                 local tr = transp_len / (normal_len + transp_len)

  228.                 if tr > transp_rate then

  229.                   transp_rate = tr

  230.                   arg = string.format('%s color #%x%x%x bgcolor #%x%x%x',

  231.                     tostring(tag:get_type()),

  232.                     color[1], color[2], color[3],

  233.                     bgcolor[1], bgcolor[2], bgcolor[3])

  234.                 end

  235.               end

  236.             end

  237.           end

  238. 

  239.           return false -- Continue search

  240.         end)

  241. 

  242.       end

  243.     end

  244. 

  245.     if ret then

  246.       transp_rate = transp_len / (normal_len + transp_len)

  247. 

  248.       if transp_rate > 0.1 then

  249.         if transp_rate > 0.5 or transp_rate ~= transp_rate then

  250.           transp_rate = 0.5

  251.         end

  252. 

  253.         task:insert_result('R_WHITE_ON_WHITE', (transp_rate * 2.0), arg)

  254.       end

  255.     end

  256. 

  257.     if invisible_blocks > 0 then

  258.       if invisible_blocks > 10 then

  259.         invisible_blocks = 10

  260.       end

  261.       local rates = { -- From 1 to 10

  262.         0.05,

  263.         0.1,

  264.         0.2,

  265.         0.3,

  266.         0.4,

  267.         0.5,

  268.         0.6,

  269.         0.7,

  270.         0.8,

  271.         1.0,

  272.       }

  273.       task:insert_result('MANY_INVISIBLE_PARTS', rates[invisible_blocks],

  274.           tostring(invisible_blocks))

  275.     end

  276. 

  277.     if zero_size_blocks > 0 then

  278.       if zero_size_blocks > 5 then

  279.         if zero_size_blocks > 10 then

  280.           -- Full score

  281.           task:insert_result('ZERO_FONT', 1.0,

  282.               tostring(zero_size_blocks))

  283.         else

  284.           zero_size_blocks = 5

  285.         end

  286.       end

  287. 

  288.       if zero_size_blocks <= 5 then

  289.         local rates = { -- From 1 to 5

  290.           0.1,

  291.           0.2,

  292.           0.2,

  293.           0.3,

  294.           0.5,

  295.         }

  296.         task:insert_result('ZERO_FONT', rates[zero_size_blocks],

  297.             tostring(zero_size_blocks))

  298.       end

  299.     end

  300.   end,

  301. }

  302. 

  303. rspamd_config:register_symbol{

  304.   type = 'virtual',

  305.   parent = vis_check_id,

  306.   name = 'R_WHITE_ON_WHITE',

  307.   description = 'Message contains low contrast text',

  308.   score = 4.0,

  309.   group = 'html',

  310.   one_shot = true,

  311. }

  312. 

  313. rspamd_config:register_symbol{

  314.   type = 'virtual',

  315.   parent = vis_check_id,

  316.   name = 'ZERO_FONT',

  317.   description = 'Zero sized font used',

  318.   score = 1.0, -- Reached if more than 5 elements have zero size

  319.   one_shot = true,

  320.   group = 'html'

  321. }

  322. 

  323. rspamd_config:register_symbol{

  324.   type = 'virtual',

  325.   parent = vis_check_id,

  326.   name = 'MANY_INVISIBLE_PARTS',

  327.   description = 'Many parts are visually hidden',

  328.   score = 1.0, -- Reached if more than 10 elements are hidden

  329.   one_shot = true,

  330.   group = 'html'

  331. }

  332. 

  333. rspamd_config.EXT_CSS = {

  334.   callback = function(task)

  335.     local regexp_lib = require "rspamd_regexp"

  336.     local re = regexp_lib.create_cached('/^.*\\.css(?:[?#].*)?$/i')

  337.     local tp = task:get_text_parts() -- get text parts in a message

  338.     local ret = false

  339.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  340.       if p:is_html() and p:get_html() then -- if the current part is html part

  341.         local hc = p:get_html() -- we get HTML context

  342.         hc:foreach_tag({'link'}, function(tag)

  343.           local bl = tag:get_extra()

  344.           if bl then

  345.             local s = tostring(bl)

  346.             if s and re:match(s) then

  347.               ret = true

  348.             end

  349.           end

  350. 

  351.           return ret -- Continue search

  352.         end)

  353. 

  354.       end

  355.     end

  356. 

  357.     return ret

  358.   end,

  359. 

  360.   score = 1.0,

  361.   group = 'html',

  362.   description = 'Message contains external CSS reference'

  363. }

  364. 

  365. rspamd_config.HTTP_TO_HTTPS = {

  366.   callback = function(task)

  367.     local tp = task:get_text_parts()

  368.     if (not tp) then return false end

  369.     for _,p in ipairs(tp) do

  370.       if p:is_html() then

  371.         local hc = p:get_html()

  372.         if (not hc) then return false end

  373.         local found = false

  374.         hc:foreach_tag('a', function (tag, length)

  375.           -- Skip this loop if we already have a match

  376.           if (found) then return true end

  377.           local c = tag:get_content()

  378.           if (c) then

  379.             c = tostring(c):lower()

  380.             if (not c:match('^http')) then return false end

  381.             local u = tag:get_extra()

  382.             if (not u) then return false end

  383.             u = tostring(u):lower()

  384.             if (not u:match('^http')) then return false end

  385.             if ((c:match('^http:') and u:match('^https:')) or

  386.                 (c:match('^https:') and u:match('^http:')))

  387.             then

  388.               found = true

  389.               return true

  390.             end

  391.           end

  392.           return false

  393.         end)

  394.         if (found) then return true end

  395.         return false

  396.       end

  397.     end

  398.     return false

  399.   end,

  400.   description = 'Anchor text contains different scheme to target URL',

  401.   score = 2.0,

  402.   group = 'html'

  403. }

  404. 

  405. rspamd_config.HTTP_TO_IP = {

  406.   callback = function(task)

  407.     local tp = task:get_text_parts()

  408.     if (not tp) then return false end

  409.     for _,p in ipairs(tp) do

  410.       if p:is_html() then

  411.         local hc = p:get_html()

  412.         if (not hc) then return false end

  413.         local found = false

  414.         hc:foreach_tag('a', function (tag, length)

  415.           if (found) then return true end

  416.           local u = tag:get_extra()

  417.           if (u) then

  418.             u = tostring(u):lower()

  419.             if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then

  420.               found = true

  421.             end

  422.           end

  423.           return false

  424.         end)

  425.         if found then return true end

  426.         return false

  427.       end

  428.     end

  429.   end,

  430.   description = 'Anchor points to an IP address',

  431.   score = 1.0,

  432.   group = 'html'

  433. }