mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11883 Commits
29 Branches
Tree: 4e7ac93ca2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4e7ac93ca2'
${ noResults }
rspamd/rules/html.lua

html.lua 9.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339 
  1. -- Licensed to the Apache Software Foundation (ASF) under one or more

  2. -- contributor license agreements.  See the NOTICE file distributed with

  3. -- this work for additional information regarding copyright ownership.

  4. -- The ASF licenses this file to you under the Apache License, Version 2.0

  5. -- (the "License"); you may not use this file except in compliance with

  6. -- the License.  You may obtain a copy of the License at:

  7. --

  8. --     http://www.apache.org/licenses/LICENSE-2.0

  9. --

  10. -- Unless required by applicable law or agreed to in writing, software

  11. -- distributed under the License is distributed on an "AS IS" BASIS,

  12. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. -- See the License for the specific language governing permissions and

  14. -- limitations under the License.

  15. 

  16. local reconf = config['regexp']

  17. 

  18. -- Messages that have only HTML part

  19. reconf['MIME_HTML_ONLY'] = {

  20.   re = 'has_only_html_part()',

  21.   score = 0.2,

  22.   description = 'Messages that have only HTML part',

  23.   group = 'headers'

  24. }

  25. 

  26. local function check_html_image(task, min, max)

  27.   local tp = task:get_text_parts()

  28. 

  29.   for _,p in ipairs(tp) do

  30.     if p:is_html() then

  31.       local hc = p:get_html()

  32.       local len = p:get_length()

  33. 

  34. 

  35.       if hc and len >= min and len < max then

  36.         local images = hc:get_images()

  37.         if images then

  38.           for _,i in ipairs(images) do

  39.             local tag = i['tag']

  40.             if tag then

  41.               local parent = tag:get_parent()

  42.               if parent then

  43.                 if parent:get_type() == 'a' then

  44.                   -- do not trigger on small and unknown size images

  45.                   if i['height'] + i['width'] >= 210 or not i['embedded'] then

  46.                     return true

  47.                   end

  48.                 end

  49.               end

  50.             end

  51.           end

  52.         end

  53.       end

  54.     end

  55.   end

  56. end

  57. 

  58. rspamd_config.HTML_SHORT_LINK_IMG_1 = {

  59.   callback = function(task)

  60.     return check_html_image(task, 0, 1024)

  61.   end,

  62.   score = 2.0,

  63.   group = 'html',

  64.   description = 'Short html part (0..1K) with a link to an image'

  65. }

  66. 

  67. rspamd_config.HTML_SHORT_LINK_IMG_2 = {

  68.   callback = function(task)

  69.     return check_html_image(task, 1024, 1536)

  70.   end,

  71.   score = 1.0,

  72.   group = 'html',

  73.   description = 'Short html part (1K..1.5K) with a link to an image'

  74. }

  75. 

  76. rspamd_config.HTML_SHORT_LINK_IMG_3 = {

  77.   callback = function(task)

  78.     return check_html_image(task, 1536, 2048)

  79.   end,

  80.   score = 0.5,

  81.   group = 'html',

  82.   description = 'Short html part (1.5K..2K) with a link to an image'

  83. }

  84. rspamd_config.R_EMPTY_IMAGE = {

  85.   callback = function(task)

  86.     local tp = task:get_text_parts() -- get text parts in a message

  87. 

  88.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  89.       if p:is_html() then -- if the current part is html part

  90.         local hc = p:get_html() -- we get HTML context

  91.         local len = p:get_length() -- and part's length

  92. 

  93.         if hc and len < 50 then -- if we have a part that has less than 50 bytes of text

  94.           local images = hc:get_images() -- then we check for HTML images

  95. 

  96.           if images then -- if there are images

  97.             for _,i in ipairs(images) do -- then iterate over images in the part

  98.               if i['height'] + i['width'] >= 400 then -- if we have a large image

  99.                 local tag = i['tag']

  100.                 if tag then

  101.                   local parent = tag:get_parent()

  102.                   if parent then

  103.                     if parent:get_type() ~= 'a' then

  104.                       return true

  105.                     end

  106.                   end

  107.                 end

  108.               end

  109.             end

  110.           end

  111.         end

  112.       end

  113.     end

  114.   end,

  115. 

  116.   score = 2.0,

  117.   group = 'html',

  118.   description = 'Message contains empty parts and image'

  119. }

  120. 

  121. rspamd_config.R_SUSPICIOUS_IMAGES = {

  122.   callback = function(task)

  123.     local tp = task:get_text_parts() -- get text parts in a message

  124. 

  125.     for _, p in ipairs(tp) do

  126.       local h = p:get_html()

  127. 

  128.       if h then

  129.         local l = p:get_words_count()

  130.         local img = h:get_images()

  131.         local pic_words = 0

  132. 

  133.         if img then

  134.           for _, i in ipairs(img) do

  135.             local dim = i['width'] + i['height']

  136.             local tag = i['tag']

  137. 

  138.             if tag then

  139.               local parent = tag:get_parent()

  140.               if parent then

  141.                 if parent:get_type() == 'a' then

  142.                   -- do not trigger on small and large images

  143.                   if dim > 100 and dim < 3000 then

  144.                     -- We assume that a single picture 100x200 contains approx 3 words of text

  145.                     pic_words = pic_words + dim / 100

  146.                   end

  147.                 end

  148.               end

  149.             end

  150.           end

  151.         end

  152. 

  153.         if l + pic_words > 0 then

  154.           local rel = pic_words / (l + pic_words)

  155. 

  156.           if rel > 0.5 then

  157.             return true, (rel - 0.5) * 2

  158.           end

  159.         end

  160.       end

  161.     end

  162. 

  163.     return false

  164.   end,

  165. 

  166.   score = 5.0,

  167.   group = 'html',

  168.   description = 'Message contains many suspicious messages'

  169. }

  170. 

  171. rspamd_config.R_WHITE_ON_WHITE = {

  172.   callback = function(task)

  173.     local tp = task:get_text_parts() -- get text parts in a message

  174.     local ret = false

  175.     local diff = 0.0

  176.     local transp_rate = 0

  177.     local arg

  178. 

  179.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  180.       if p:is_html() and p:get_html() then -- if the current part is html part

  181.         local normal_len = p:get_length()

  182.         local transp_len = 0

  183.         local hc = p:get_html() -- we get HTML context

  184. 

  185.         hc:foreach_tag({'font', 'span', 'div', 'p'}, function(tag)

  186.           local bl = tag:get_extra()

  187.           if bl then

  188.             if bl['bgcolor'] and bl['color'] and bl['visible'] then

  189. 

  190.               local color = bl['color']

  191.               local bgcolor = bl['bgcolor']

  192.               -- Should use visual approach here some day

  193.               local diff_r = math.abs(color[1] - bgcolor[1]) / 255.0

  194.               local diff_g = math.abs(color[2] - bgcolor[2]) / 255.0

  195.               local diff_b = math.abs(color[3] - bgcolor[3]) / 255.0

  196.               diff = (diff_r + diff_g + diff_b) / 3.0

  197. 

  198.               if diff < 0.1 then

  199.                 ret = true

  200.                 transp_len = (tag:get_content_length()) *

  201.                   (0.1 - diff) * 5.0

  202.                 normal_len = normal_len - tag:get_content_length()

  203.                 local tr = transp_len / (normal_len + transp_len)

  204.                 if tr > transp_rate then

  205.                   transp_rate = tr

  206.                   arg = string.format('%s color #%x%x%x bgcolor #%x%x%x',

  207.                     tostring(tag:get_type()),

  208.                     color[1], color[2], color[3],

  209.                     bgcolor[1], bgcolor[2], bgcolor[3])

  210.                 end

  211.               end

  212.             end

  213.           end

  214. 

  215.           return false -- Continue search

  216.         end)

  217. 

  218.       end

  219.     end

  220. 

  221.     if ret then

  222.       if transp_rate > 0.1 then

  223.         if transp_rate > 0.5 or transp_rate ~= transp_rate then

  224.           transp_rate = 0.5

  225.         end

  226.         return true,(transp_rate * 2.0),arg

  227.       end

  228.     end

  229. 

  230.     return false

  231.   end,

  232. 

  233.   score = 4.0,

  234.   group = 'html',

  235.   one_shot = true,

  236.   description = 'Message contains low contrast text'

  237. }

  238. 

  239. rspamd_config.EXT_CSS = {

  240.   callback = function(task)

  241.     local regexp_lib = require "rspamd_regexp"

  242.     local re = regexp_lib.create_cached('/^.*\\.css(?:[?#].*)?$/i')

  243.     local tp = task:get_text_parts() -- get text parts in a message

  244.     local ret = false

  245.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  246.       if p:is_html() and p:get_html() then -- if the current part is html part

  247.         local hc = p:get_html() -- we get HTML context

  248.         hc:foreach_tag({'link'}, function(tag)

  249.           local bl = tag:get_extra()

  250.           if bl then

  251.             local s = tostring(bl)

  252.             if s and re:match(s) then

  253.               ret = true

  254.             end

  255.           end

  256. 

  257.           return ret -- Continue search

  258.         end)

  259. 

  260.       end

  261.     end

  262. 

  263.     return ret

  264.   end,

  265. 

  266.   score = 1.0,

  267.   group = 'html',

  268.   description = 'Message contains external CSS reference'

  269. }

  270. 

  271. rspamd_config.HTTP_TO_HTTPS = {

  272.   callback = function(task)

  273.     local tp = task:get_text_parts()

  274.     if (not tp) then return false end

  275.     for _,p in ipairs(tp) do

  276.       if p:is_html() then

  277.         local hc = p:get_html()

  278.         if (not hc) then return false end

  279.         local found = false

  280.         hc:foreach_tag('a', function (tag, length)

  281.           -- Skip this loop if we already have a match

  282.           if (found) then return true end

  283.           local c = tag:get_content()

  284.           if (c) then

  285.             c = tostring(c):lower()

  286.             if (not c:match('^http')) then return false end

  287.             local u = tag:get_extra()

  288.             if (not u) then return false end

  289.             u = tostring(u):lower()

  290.             if (not u:match('^http')) then return false end

  291.             if ((c:match('^http:') and u:match('^https:')) or

  292.                 (c:match('^https:') and u:match('^http:')))

  293.             then

  294.               found = true

  295.               return true

  296.             end

  297.           end

  298.           return false

  299.         end)

  300.         if (found) then return true end

  301.         return false

  302.       end

  303.     end

  304.     return false

  305.   end,

  306.   description = 'Anchor text contains different scheme to target URL',

  307.   score = 2.0,

  308.   group = 'html'

  309. }

  310. 

  311. rspamd_config.HTTP_TO_IP = {

  312.   callback = function(task)

  313.     local tp = task:get_text_parts()

  314.     if (not tp) then return false end

  315.     for _,p in ipairs(tp) do

  316.       if p:is_html() then

  317.         local hc = p:get_html()

  318.         if (not hc) then return false end

  319.         local found = false

  320.         hc:foreach_tag('a', function (tag, length)

  321.           if (found) then return true end

  322.           local u = tag:get_extra()

  323.           if (u) then

  324.             u = tostring(u):lower()

  325.             if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then

  326.               found = true

  327.             end

  328.           end

  329.           return false

  330.         end)

  331.         if found then return true end

  332.         return false

  333.       end

  334.     end

  335.   end,

  336.   description = 'Anchor points to an IP address',

  337.   score = 1.0,

  338.   group = 'html'

  339. }