mirrors
/
rspamd
의 미러 https://github.com/vstakhov/rspamd.git
보기 1
좋아요 0
포크 0
코드 이슈 0 릴리즈 159 위키 Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16263 커밋
28 브랜치
트리: 4c81a52183
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from '4c81a52183'
${ noResults }
rspamd/rules/html.lua

html.lua 12KB
Raw Blame 히스토리

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438 
  1. -- Licensed to the Apache Software Foundation (ASF) under one or more

  2. -- contributor license agreements.  See the NOTICE file distributed with

  3. -- this work for additional information regarding copyright ownership.

  4. -- The ASF licenses this file to you under the Apache License, Version 2.0

  5. -- (the "License"); you may not use this file except in compliance with

  6. -- the License.  You may obtain a copy of the License at:

  7. --

  8. --     http://www.apache.org/licenses/LICENSE-2.0

  9. --

  10. -- Unless required by applicable law or agreed to in writing, software

  11. -- distributed under the License is distributed on an "AS IS" BASIS,

  12. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. -- See the License for the specific language governing permissions and

  14. -- limitations under the License.

  15. 

  16. local reconf = config['regexp']

  17. 

  18. -- Messages that have only HTML part

  19. reconf['MIME_HTML_ONLY'] = {

  20.   re = 'has_only_html_part()',

  21.   score = 0.2,

  22.   description = 'Messages that have only HTML part',

  23.   group = 'headers'

  24. }

  25. 

  26. local function has_anchor_parent(tag)

  27.   local parent = tag

  28.   repeat

  29.     parent = parent:get_parent()

  30.     if parent then

  31.       if parent:get_type() == 'a' then

  32.         return true

  33.       end

  34.     end

  35.   until not parent

  36. 

  37.   return false

  38. end

  39. 

  40. local function check_html_image(task, min, max)

  41.   local tp = task:get_text_parts()

  42. 

  43.   for _,p in ipairs(tp) do

  44.     if p:is_html() then

  45.       local hc = p:get_html()

  46.       local len = p:get_length()

  47. 

  48. 

  49.       if hc and len >= min and len < max then

  50.         local images = hc:get_images()

  51.         if images then

  52.           for _,i in ipairs(images) do

  53.             local tag = i['tag']

  54.             if tag then

  55.               if has_anchor_parent(tag) then

  56.                 -- do not trigger on small and unknown size images

  57.                 if i['height'] + i['width'] >= 210 or not i['embedded'] then

  58.                   return true

  59.                 end

  60.               end

  61.             end

  62.           end

  63.         end

  64.       end

  65.     end

  66.   end

  67. end

  68. 

  69. rspamd_config.HTML_SHORT_LINK_IMG_1 = {

  70.   callback = function(task)

  71.     return check_html_image(task, 0, 1024)

  72.   end,

  73.   score = 2.0,

  74.   group = 'html',

  75.   description = 'Short html part (0..1K) with a link to an image'

  76. }

  77. 

  78. rspamd_config.HTML_SHORT_LINK_IMG_2 = {

  79.   callback = function(task)

  80.     return check_html_image(task, 1024, 1536)

  81.   end,

  82.   score = 1.0,

  83.   group = 'html',

  84.   description = 'Short html part (1K..1.5K) with a link to an image'

  85. }

  86. 

  87. rspamd_config.HTML_SHORT_LINK_IMG_3 = {

  88.   callback = function(task)

  89.     return check_html_image(task, 1536, 2048)

  90.   end,

  91.   score = 0.5,

  92.   group = 'html',

  93.   description = 'Short html part (1.5K..2K) with a link to an image'

  94. }

  95. 

  96. rspamd_config.R_EMPTY_IMAGE = {

  97.   callback = function(task)

  98.     local tp = task:get_text_parts() -- get text parts in a message

  99. 

  100.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  101.       if p:is_html() then -- if the current part is html part

  102.         local hc = p:get_html() -- we get HTML context

  103.         local len = p:get_length() -- and part's length

  104.         if hc and len < 50 then -- if we have a part that has less than 50 bytes of text

  105.           local images = hc:get_images() -- then we check for HTML images

  106. 

  107.           if images then -- if there are images

  108.             for _,i in ipairs(images) do -- then iterate over images in the part

  109.               if i['height'] + i['width'] >= 400 then -- if we have a large image

  110.                 local tag = i['tag']

  111.                 if tag then

  112.                   if not has_anchor_parent(tag) then

  113.                     return true

  114.                   end

  115.                 end

  116.               end

  117.             end

  118.           end

  119.         end

  120.       end

  121.     end

  122.   end,

  123. 

  124.   score = 2.0,

  125.   group = 'html',

  126.   description = 'Message contains empty parts and image'

  127. }

  128. 

  129. rspamd_config.R_SUSPICIOUS_IMAGES = {

  130.   callback = function(task)

  131.     local tp = task:get_text_parts() -- get text parts in a message

  132. 

  133.     for _, p in ipairs(tp) do

  134.       local h = p:get_html()

  135. 

  136.       if h then

  137.         local l = p:get_words_count()

  138.         local img = h:get_images()

  139.         local pic_words = 0

  140. 

  141.         if img then

  142.           for _, i in ipairs(img) do

  143.             local dim = i['width'] + i['height']

  144.             local tag = i['tag']

  145. 

  146.             if tag then

  147.               if has_anchor_parent(tag) then

  148.                 if dim > 100 and dim < 3000 then

  149.                   -- We assume that a single picture 100x200 contains approx 3 words of text

  150.                   pic_words = pic_words + dim / 100

  151.                 end

  152.               end

  153.             end

  154.           end

  155.         end

  156. 

  157.         if l + pic_words > 0 then

  158.           local rel = pic_words / (l + pic_words)

  159. 

  160.           if rel > 0.5 then

  161.             return true, (rel - 0.5) * 2

  162.           end

  163.         end

  164.       end

  165.     end

  166. 

  167.     return false

  168.   end,

  169. 

  170.   score = 5.0,

  171.   group = 'html',

  172.   description = 'Message contains many suspicious messages'

  173. }

  174. 

  175. local vis_check_id = rspamd_config:register_symbol{

  176.   name = 'HTML_VISIBLE_CHECKS',

  177.   type = 'callback',

  178.   group = 'html',

  179.   callback = function(task)

  180.     --local logger = require "rspamd_logger"

  181.     local tp = task:get_text_parts() -- get text parts in a message

  182.     local ret = false

  183.     local diff = 0.0

  184.     local transp_rate = 0

  185.     local invisible_blocks = 0

  186.     local zero_size_blocks = 0

  187.     local arg

  188. 

  189.     local normal_len = 0

  190.     local transp_len = 0

  191. 

  192.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  193.       normal_len = normal_len + p:get_length()

  194.       if p:is_html() and p:get_html() then -- if the current part is html part

  195.         local hc = p:get_html() -- we get HTML context

  196. 

  197.         hc:foreach_tag({'font', 'span', 'div', 'p', 'td'}, function(tag)

  198.           local bl = tag:get_extra()

  199.           if bl then

  200.             if not bl['visible'] then

  201.               invisible_blocks = invisible_blocks + 1

  202.             end

  203. 

  204.             if bl['font_size'] and bl['font_size'] == 0 then

  205.               zero_size_blocks = zero_size_blocks + 1

  206.             end

  207. 

  208.             if bl['bgcolor'] and bl['color'] and bl['visible'] then

  209. 

  210.               local color = bl['color']

  211.               local bgcolor = bl['bgcolor']

  212.               -- Should use visual approach here some day

  213.               local diff_r = math.abs(color[1] - bgcolor[1])

  214.               local diff_g = math.abs(color[2] - bgcolor[2])

  215.               local diff_b = math.abs(color[3] - bgcolor[3])

  216.               local r_avg = (color[1] + bgcolor[1]) / 2.0

  217.               -- Square

  218.               diff_r = diff_r * diff_r

  219.               diff_g = diff_g * diff_g

  220.               diff_b = diff_b * diff_b

  221. 

  222.               diff = math.sqrt(2*diff_r + 4*diff_g + 3 * diff_b +

  223.                   (r_avg * (diff_r - diff_b) / 256.0))

  224.               diff = diff / 256.0

  225. 

  226.               if diff < 0.1 then

  227.                 ret = true

  228.                 local content_len = #(tag:get_content() or {})

  229.                 invisible_blocks = invisible_blocks + 1 -- This block is invisible

  230.                 transp_len = transp_len + content_len * (0.1 - diff) * 10.0

  231.                 normal_len = normal_len - content_len

  232.                 local tr = transp_len / (normal_len + transp_len)

  233.                 if tr > transp_rate then

  234.                   transp_rate = tr

  235.                   arg = string.format('%s color #%x%x%x bgcolor #%x%x%x',

  236.                     tostring(tag:get_type()),

  237.                     color[1], color[2], color[3],

  238.                     bgcolor[1], bgcolor[2], bgcolor[3])

  239.                 end

  240.               end

  241.             end

  242.           end

  243. 

  244.           return false -- Continue search

  245.         end)

  246. 

  247.       end

  248.     end

  249. 

  250.     if ret then

  251.       transp_rate = transp_len / (normal_len + transp_len)

  252. 

  253.       if transp_rate > 0.1 then

  254.         if transp_rate > 0.5 or transp_rate ~= transp_rate then

  255.           transp_rate = 0.5

  256.         end

  257. 

  258.         task:insert_result('R_WHITE_ON_WHITE', (transp_rate * 2.0), arg)

  259.       end

  260.     end

  261. 

  262.     if invisible_blocks > 0 then

  263.       if invisible_blocks > 10 then

  264.         invisible_blocks = 10

  265.       end

  266.       local rates = { -- From 1 to 10

  267.         0.05,

  268.         0.1,

  269.         0.2,

  270.         0.3,

  271.         0.4,

  272.         0.5,

  273.         0.6,

  274.         0.7,

  275.         0.8,

  276.         1.0,

  277.       }

  278.       task:insert_result('MANY_INVISIBLE_PARTS', rates[invisible_blocks],

  279.           tostring(invisible_blocks))

  280.     end

  281. 

  282.     if zero_size_blocks > 0 then

  283.       if zero_size_blocks > 5 then

  284.         if zero_size_blocks > 10 then

  285.           -- Full score

  286.           task:insert_result('ZERO_FONT', 1.0,

  287.               tostring(zero_size_blocks))

  288.         else

  289.           zero_size_blocks = 5

  290.         end

  291.       end

  292. 

  293.       if zero_size_blocks <= 5 then

  294.         local rates = { -- From 1 to 5

  295.           0.1,

  296.           0.2,

  297.           0.2,

  298.           0.3,

  299.           0.5,

  300.         }

  301.         task:insert_result('ZERO_FONT', rates[zero_size_blocks],

  302.             tostring(zero_size_blocks))

  303.       end

  304.     end

  305.   end,

  306. }

  307. 

  308. rspamd_config:register_symbol{

  309.   type = 'virtual',

  310.   parent = vis_check_id,

  311.   name = 'R_WHITE_ON_WHITE',

  312.   description = 'Message contains low contrast text',

  313.   score = 4.0,

  314.   group = 'html',

  315.   one_shot = true,

  316. }

  317. 

  318. rspamd_config:register_symbol{

  319.   type = 'virtual',

  320.   parent = vis_check_id,

  321.   name = 'ZERO_FONT',

  322.   description = 'Zero sized font used',

  323.   score = 1.0, -- Reached if more than 5 elements have zero size

  324.   one_shot = true,

  325.   group = 'html'

  326. }

  327. 

  328. rspamd_config:register_symbol{

  329.   type = 'virtual',

  330.   parent = vis_check_id,

  331.   name = 'MANY_INVISIBLE_PARTS',

  332.   description = 'Many parts are visually hidden',

  333.   score = 1.0, -- Reached if more than 10 elements are hidden

  334.   one_shot = true,

  335.   group = 'html'

  336. }

  337. 

  338. rspamd_config.EXT_CSS = {

  339.   callback = function(task)

  340.     local regexp_lib = require "rspamd_regexp"

  341.     local re = regexp_lib.create_cached('/^.*\\.css(?:[?#].*)?$/i')

  342.     local tp = task:get_text_parts() -- get text parts in a message

  343.     local ret = false

  344.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  345.       if p:is_html() and p:get_html() then -- if the current part is html part

  346.         local hc = p:get_html() -- we get HTML context

  347.         hc:foreach_tag({'link'}, function(tag)

  348.           local bl = tag:get_extra()

  349.           if bl then

  350.             local s = tostring(bl)

  351.             if s and re:match(s) then

  352.               ret = true

  353.             end

  354.           end

  355. 

  356.           return ret -- Continue search

  357.         end)

  358. 

  359.       end

  360.     end

  361. 

  362.     return ret

  363.   end,

  364. 

  365.   score = 1.0,

  366.   group = 'html',

  367.   description = 'Message contains external CSS reference'

  368. }

  369. 

  370. rspamd_config.HTTP_TO_HTTPS = {

  371.   callback = function(task)

  372.     local tp = task:get_text_parts()

  373.     if (not tp) then return false end

  374.     for _,p in ipairs(tp) do

  375.       if p:is_html() then

  376.         local hc = p:get_html()

  377.         if (not hc) then return false end

  378.         local found = false

  379.         hc:foreach_tag('a', function (tag, length)

  380.           -- Skip this loop if we already have a match

  381.           if (found) then return true end

  382.           local c = tag:get_content()

  383.           if (c) then

  384.             c = tostring(c):lower()

  385.             if (not c:match('^http')) then return false end

  386.             local u = tag:get_extra()

  387.             if (not u) then return false end

  388.             u = tostring(u):lower()

  389.             if (not u:match('^http')) then return false end

  390.             if ((c:match('^http:') and u:match('^https:')) or

  391.                 (c:match('^https:') and u:match('^http:')))

  392.             then

  393.               found = true

  394.               return true

  395.             end

  396.           end

  397.           return false

  398.         end)

  399.         if (found) then return true end

  400.         return false

  401.       end

  402.     end

  403.     return false

  404.   end,

  405.   description = 'Anchor text contains different scheme to target URL',

  406.   score = 2.0,

  407.   group = 'html'

  408. }

  409. 

  410. rspamd_config.HTTP_TO_IP = {

  411.   callback = function(task)

  412.     local tp = task:get_text_parts()

  413.     if (not tp) then return false end

  414.     for _,p in ipairs(tp) do

  415.       if p:is_html() then

  416.         local hc = p:get_html()

  417.         if (not hc) then return false end

  418.         local found = false

  419.         hc:foreach_tag('a', function (tag, length)

  420.           if (found) then return true end

  421.           local u = tag:get_extra()

  422.           if (u) then

  423.             u = tostring(u):lower()

  424.             if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then

  425.               found = true

  426.             end

  427.           end

  428.           return false

  429.         end)

  430.         if found then return true end

  431.         return false

  432.       end

  433.     end

  434.   end,

  435.   description = 'Anchor points to an IP address',

  436.   score = 1.0,

  437.   group = 'html'

  438. }