mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6954 Commits
29 Branches
Tree: 4eac8a4828
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4eac8a4828'
${ noResults }
rspamd/rules/misc.lua

misc.lua 9.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363 
  1. --[[

  2. Copyright (c) 2011-2015, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. -- This is main lua config file for rspamd

  18. 

  19. local util = require "rspamd_util"

  20. local rspamd_regexp = require "rspamd_regexp"

  21. local rspamd_logger = require "rspamd_logger"

  22. 

  23. local reconf = config['regexp']

  24. 

  25. -- Uncategorized rules

  26. local subject_re = rspamd_regexp.create('/^(?:(?:Re|Fwd|Fw|Aw|Antwort|Sv):\\s*)+(.+)$/i')

  27. 

  28. -- Local rules

  29. local r_bgcolor = '/BGCOLOR=/iP'

  30. local r_font_color = '/font color=[\\"\']?\\#FFFFFF[\\"\']?/iP'

  31. reconf['R_WHITE_ON_WHITE'] = string.format('(!(%s) & (%s))', r_bgcolor, r_font_color)

  32. reconf['R_FLASH_REDIR_IMGSHACK'] = '/^(?:http:\\/\\/)?img\\d{1,5}\\.imageshack\\.us\\/\\S+\\.swf/U'

  33. 

  34. -- Local functions

  35. 

  36. 

  37. -- Subject issues

  38. local function test_subject(task, check_function, rate)

  39.   local function normalize_linear(a, x)

  40.       local f = a * x

  41.       return true, (( f < 1 ) and f or 1), tostring(x)

  42.   end

  43. 

  44.   local sbj = task:get_header('Subject')

  45. 

  46.   if sbj then

  47.     local stripped_subject = subject_re:search(sbj, false, true)

  48.     if stripped_subject and stripped_subject[1] and stripped_subject[1][2] then

  49.       sbj = stripped_subject[1][2]

  50.     end

  51. 

  52.     local l = util.strlen_utf8(sbj)

  53.     if check_function(sbj, l) then

  54.       return normalize_linear(rate, l)

  55.     end

  56.   end

  57. 

  58.   return false

  59. end

  60. 

  61. rspamd_config.SUBJ_ALL_CAPS = {

  62.   callback = function(task)

  63.     local caps_test = function(sbj, len)

  64.       return util.is_uppercase(sbj)

  65.     end

  66.     return test_subject(task, caps_test, 1.0/40.0)

  67.   end,

  68.   score = 3.0,

  69.   group = 'subject',

  70.   description = 'All capital letters in subject'

  71. }

  72. 

  73. rspamd_config.LONG_SUBJ = {

  74.   callback = function(task)

  75.     local length_test = function(sbj, len)

  76.       return len > 200

  77.     end

  78.     return test_subject(task, length_test, 1.0/400.0)

  79.   end,

  80.   score = 3.0,

  81.   group = 'subject',

  82.   description = 'Subject is too long'

  83. }

  84. 

  85. -- Different text parts

  86. rspamd_config.R_PARTS_DIFFER = function(task)

  87.   local distance = task:get_mempool():get_variable('parts_distance', 'double')

  88. 

  89.   if distance then

  90.     local nd = tonumber(distance)

  91.     -- ND is relation of different words to total words

  92.     if nd >= 0.5 then

  93.       local tw = task:get_mempool():get_variable('total_words', 'int')

  94. 

  95.       if tw then

  96.         local score

  97.         if tw > 30 then

  98.           -- We are confident about difference

  99.           score = (nd - 0.5) * 2.0

  100.         else

  101.           -- We are not so confident about difference

  102.           score = (nd - 0.5)

  103.         end

  104.         task:insert_result('R_PARTS_DIFFER', score,

  105.           string.format('%.1f%%', tostring(100.0 * nd)))

  106.       end

  107.     end

  108.   end

  109. 

  110.   return false

  111. end

  112. 

  113. -- Date issues

  114. rspamd_config.MISSING_DATE = function(task)

  115. 	if rspamd_config:get_api_version() >= 5 then

  116. 		local date = task:get_header_raw('Date')

  117. 		if date == nil or date == '' then

  118. 			return true

  119. 		end

  120. 	end

  121. 

  122. 	return false

  123. end

  124. rspamd_config.DATE_IN_FUTURE = function(task)

  125. 	if rspamd_config:get_api_version() >= 5 then

  126. 		local dm = task:get_date{format = 'message'}

  127. 		local dt = task:get_date{format = 'connect'}

  128. 		-- An 2 hour

  129. 		if dm > 0 and dm - dt > 7200 then

  130. 			return true

  131. 		end

  132. 	end

  133. 

  134. 	return false

  135. end

  136. rspamd_config.DATE_IN_PAST = function(task)

  137. 	if rspamd_config:get_api_version() >= 5 then

  138.     local dm = task:get_date{format = 'message', gmt = true}

  139.     local dt = task:get_date{format = 'connect', gmt = true}

  140. 		-- A day

  141. 		if dm > 0 and dt - dm > 86400 then

  142. 			return true

  143. 		end

  144. 	end

  145. 

  146. 	return false

  147. end

  148. 

  149. rspamd_config.R_SUSPICIOUS_URL = function(task)

  150.     local urls = task:get_urls()

  151. 

  152.     if urls then

  153.       for i,u in ipairs(urls) do

  154.         if u:is_obscured() then

  155.           task:insert_result('R_SUSPICIOUS_URL', 1.0, u:get_host())

  156.         end

  157.       end

  158.     end

  159.     return false

  160. end

  161. 

  162. rspamd_config.BROKEN_HEADERS = {

  163.   callback = function(task)

  164.     if task:has_flag('broken_headers') then

  165.       return true

  166.     end

  167. 

  168.     return false

  169.   end,

  170.   score = 1.0,

  171.   group = 'header',

  172.   description = 'Headers structure is likely broken'

  173. }

  174. 

  175. rspamd_config.HEADER_RCONFIRM_MISMATCH = {

  176.   callback = function (task)

  177.     local header_from = nil

  178.     local cread = task:get_header('X-Confirm-Reading-To')

  179. 

  180.     if task:has_from('mime') then

  181.       header_from  = task:get_from('mime')[1]

  182.     end

  183. 

  184.     local header_cread = nil

  185.     if cread then

  186.       local headers_cread = util.parse_mail_address(cread)

  187.       if headers_cread then header_cread = headers_cread[1] end

  188.     end

  189. 

  190.     if header_from and header_cread then

  191.       if not string.find(header_from['addr'], header_cread['addr']) then

  192.         return true

  193.       end

  194.     end

  195. 

  196.     return false

  197.   end,

  198. 

  199.   score = 2.0,

  200.   group = 'header',

  201.   description = 'Read confirmation address is different to from address'

  202. }

  203. 

  204. rspamd_config.HEADER_FORGED_MDN = {

  205.   callback = function (task)

  206.     local mdn = task:get_header('Disposition-Notification-To')

  207.     local header_rp = nil

  208. 

  209.     if task:has_from('smtp') then

  210.       header_rp = task:get_from('smtp')[1]

  211.     end

  212. 

  213.     -- Parse mail addr

  214.     local header_mdn = nil

  215.     if mdn then

  216.       local headers_mdn = util.parse_mail_address(mdn)

  217.       if headers_mdn then header_mdn = headers_mdn[1] end

  218.     end

  219. 

  220.     if header_mdn and not header_rp  then return true end

  221.     if header_rp  and not header_mdn then return false end

  222. 

  223.     if header_mdn and header_mdn['addr'] ~= header_rp['addr'] then

  224.       return true

  225.     end

  226. 

  227.     return false

  228.   end,

  229. 

  230.   score = 2.0,

  231.   group = 'header',

  232.   description = 'Read confirmation address is different to return path'

  233. }

  234. 

  235. local headers_unique = {

  236.   'Content-Type',

  237.   'Content-Transfer-Encoding',

  238.   -- https://tools.ietf.org/html/rfc5322#section-3.6

  239.   'Date',

  240.   'From',

  241.   'Sender',

  242.   'Reply-To',

  243.   'To',

  244.   'Cc',

  245.   'Bcc',

  246.   'Message-ID',

  247.   'In-Reply-To',

  248.   'References',

  249.   'Subject'

  250. }

  251. 

  252. rspamd_config.MULTIPLE_UNIQUE_HEADERS = {

  253.   callback = function (task)

  254.     local res = 0

  255.     local res_tbl = {}

  256. 

  257.     for i,hdr in ipairs(headers_unique) do

  258.       local h = task:get_header_full(hdr)

  259. 

  260.       if h and #h > 1 then

  261.         res = res + 1

  262.         table.insert(res_tbl, hdr)

  263.       end

  264.     end

  265. 

  266.     if res > 0 then

  267.       return true,res,table.concat(res_tbl, ',')

  268.     end

  269. 

  270.     return false

  271.   end,

  272. 

  273.   score = 5.0,

  274.   group = 'header',

  275.   description = 'Repeated unique headers'

  276. }

  277. 

  278. rspamd_config.ENVFROM_PRVS = {

  279.     callback = function (task)

  280.         -- Detect PRVS/BATV addresses to avoid FORGED_SENDER

  281.         -- https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

  282.         if not (task:has_from(1) and task:has_from(2)) then

  283.             return false

  284.         end

  285.         local envfrom = task:get_from(1)

  286.         local tag,ef = envfrom[1].addr:lower():match("^prvs=([^=]+)=(.+)$")

  287.         if not ef then return false end

  288.         -- See if it matches the From header

  289.         local from = task:get_from(2)

  290.         if ef == from[1].addr:lower() then

  291.             return true

  292.         end

  293.         return false

  294.     end,

  295.     score = 0.01,

  296.     description = "Envelope From is a PRVS address that matches the From address",

  297.     group = 'prvs'

  298. }

  299. 

  300. rspamd_config.ENVFROM_VERP = {

  301.     callback = function (task)

  302.         if not (task:has_from(1) and task:has_recipients(1)) then

  303.             return false

  304.         end

  305.         local envfrom = task:get_from(1)

  306.         local envrcpts = task:get_recipients(1)

  307.         -- VERP only works for single recipient messages

  308.         if table.getn(envrcpts) > 1 then return false end

  309.         -- Get recipient and compute VERP address

  310.         local rcpt = envrcpts[1].addr:lower()

  311.         local verp = rcpt:gsub('@','=')

  312.         -- Get the user portion of the envfrom

  313.         local ef_user = envfrom[1].user:lower()

  314.         -- See if the VERP representation of the recipient appears in it

  315.         if ef_user:find(verp, 1, true)

  316.            and not ef_user:find('+caf_=' .. verp, 1, true) -- Google Forwarding

  317.            and not ef_user:find('^srs[01]=')               -- SRS

  318.         then

  319.             return true

  320.         end

  321.         return false

  322.     end,

  323.     score = 0.01,

  324.     description = "Envelope From is a VERP address",

  325.     group = "mailing_list"

  326. }

  327. 

  328. rspamd_config.RCVD_TLS_ALL = {

  329.     callback = function (task)

  330.         local rcvds = task:get_header_full('Received')

  331.         if not rcvds then return false end

  332.         local count = 0

  333.         local encrypted = 0

  334.         for _, rcvd in ipairs(rcvds) do

  335.             count = count + 1

  336.             local r = rcvd['decoded']:lower()

  337.             local by = r:match('^by%s+([^%s]+)') or r:match('%sby%s+([^%s]+)')

  338.             local with = r:match('%swith%s+(e?smtps?a?)')

  339.             if with and with:match('esmtps') then

  340.                 encrypted = encrypted + 1

  341.             end

  342.         end

  343.         if (count > 0 and count == encrypted) then

  344.             return true

  345.         end

  346.     end,

  347.     score = 0.01,

  348.     description = "All hops used encrypted transports",

  349.     group = "encryption"

  350. }

  351. 

  352. rspamd_config.MISSING_FROM = {

  353.     callback = function(task)

  354.       local from = task:get_header('From')

  355.       if from == nil or from == '' then

  356.         return true

  357.       end

  358.       return false

  359.     end,

  360.     score = 2.0,

  361.     group = 'header',

  362.     description = 'Missing From: header'

  363. }