mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17081 Commits
28 Branches
Tree: 742c4d84e4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '742c4d84e4'
${ noResults }
rspamd/rules/html.lua

html.lua 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437 
  1. -- Licensed to the Apache Software Foundation (ASF) under one or more

  2. -- contributor license agreements.  See the NOTICE file distributed with

  3. -- this work for additional information regarding copyright ownership.

  4. -- The ASF licenses this file to you under the Apache License, Version 2.0

  5. -- (the "License"); you may not use this file except in compliance with

  6. -- the License.  You may obtain a copy of the License at:

  7. --

  8. --     http://www.apache.org/licenses/LICENSE-2.0

  9. --

  10. -- Unless required by applicable law or agreed to in writing, software

  11. -- distributed under the License is distributed on an "AS IS" BASIS,

  12. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. -- See the License for the specific language governing permissions and

  14. -- limitations under the License.

  15. 

  16. local reconf = config['regexp']

  17. 

  18. -- Messages that have only HTML part

  19. reconf['MIME_HTML_ONLY'] = {

  20.   re = 'has_only_html_part()',

  21.   score = 0.2,

  22.   description = 'Messages that have only HTML part',

  23.   group = 'headers'

  24. }

  25. 

  26. local function has_anchor_parent(tag)

  27.   local parent = tag

  28.   repeat

  29.     parent = parent:get_parent()

  30.     if parent then

  31.       if parent:get_type() == 'a' then

  32.         return true

  33.       end

  34.     end

  35.   until not parent

  36. 

  37.   return false

  38. end

  39. 

  40. local function check_html_image(task, min, max)

  41.   local tp = task:get_text_parts()

  42. 

  43.   for _,p in ipairs(tp) do

  44.     if p:is_html() then

  45.       local hc = p:get_html()

  46.       local len = p:get_length()

  47. 

  48. 

  49.       if hc and len >= min and len < max then

  50.         local images = hc:get_images()

  51.         if images then

  52.           for _,i in ipairs(images) do

  53.             local tag = i['tag']

  54.             if tag then

  55.               if has_anchor_parent(tag) then

  56.                 -- do not trigger on small and unknown size images

  57.                 if i['height'] + i['width'] >= 210 or not i['embedded'] then

  58.                   return true

  59.                 end

  60.               end

  61.             end

  62.           end

  63.         end

  64.       end

  65.     end

  66.   end

  67. end

  68. 

  69. rspamd_config.HTML_SHORT_LINK_IMG_1 = {

  70.   callback = function(task)

  71.     return check_html_image(task, 0, 1024)

  72.   end,

  73.   score = 2.0,

  74.   group = 'html',

  75.   description = 'Short html part (0..1K) with a link to an image'

  76. }

  77. 

  78. rspamd_config.HTML_SHORT_LINK_IMG_2 = {

  79.   callback = function(task)

  80.     return check_html_image(task, 1024, 1536)

  81.   end,

  82.   score = 1.0,

  83.   group = 'html',

  84.   description = 'Short html part (1K..1.5K) with a link to an image'

  85. }

  86. 

  87. rspamd_config.HTML_SHORT_LINK_IMG_3 = {

  88.   callback = function(task)

  89.     return check_html_image(task, 1536, 2048)

  90.   end,

  91.   score = 0.5,

  92.   group = 'html',

  93.   description = 'Short html part (1.5K..2K) with a link to an image'

  94. }

  95. 

  96. rspamd_config.R_EMPTY_IMAGE = {

  97.   callback = function(task)

  98.     local tp = task:get_text_parts() -- get text parts in a message

  99. 

  100.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  101.       if p:is_html() then -- if the current part is html part

  102.         local hc = p:get_html() -- we get HTML context

  103.         local len = p:get_length() -- and part's length

  104.         if hc and len < 50 then -- if we have a part that has less than 50 bytes of text

  105.           local images = hc:get_images() -- then we check for HTML images

  106. 

  107.           if images then -- if there are images

  108.             for _,i in ipairs(images) do -- then iterate over images in the part

  109.               if i['height'] + i['width'] >= 400 then -- if we have a large image

  110.                 local tag = i['tag']

  111.                 if tag then

  112.                   if not has_anchor_parent(tag) then

  113.                     return true

  114.                   end

  115.                 end

  116.               end

  117.             end

  118.           end

  119.         end

  120.       end

  121.     end

  122.   end,

  123. 

  124.   score = 2.0,

  125.   group = 'html',

  126.   description = 'Message contains empty parts and image'

  127. }

  128. 

  129. rspamd_config.R_SUSPICIOUS_IMAGES = {

  130.   callback = function(task)

  131.     local tp = task:get_text_parts() -- get text parts in a message

  132. 

  133.     for _, p in ipairs(tp) do

  134.       local h = p:get_html()

  135. 

  136.       if h then

  137.         local l = p:get_words_count()

  138.         local img = h:get_images()

  139.         local pic_words = 0

  140. 

  141.         if img then

  142.           for _, i in ipairs(img) do

  143.             local dim = i['width'] + i['height']

  144.             local tag = i['tag']

  145. 

  146.             if tag then

  147.               if has_anchor_parent(tag) then

  148.                 if dim > 100 and dim < 3000 then

  149.                   -- We assume that a single picture 100x200 contains approx 3 words of text

  150.                   pic_words = pic_words + dim / 100

  151.                 end

  152.               end

  153.             end

  154.           end

  155.         end

  156. 

  157.         if l + pic_words > 0 then

  158.           local rel = pic_words / (l + pic_words)

  159. 

  160.           if rel > 0.5 then

  161.             return true, (rel - 0.5) * 2

  162.           end

  163.         end

  164.       end

  165.     end

  166. 

  167.     return false

  168.   end,

  169. 

  170.   score = 5.0,

  171.   group = 'html',

  172.   description = 'Message contains many suspicious messages'

  173. }

  174. 

  175. local vis_check_id = rspamd_config:register_symbol{

  176.   name = 'HTML_VISIBLE_CHECKS',

  177.   type = 'callback',

  178.   group = 'html',

  179.   callback = function(task)

  180.     --local logger = require "rspamd_logger"

  181.     local tp = task:get_text_parts() -- get text parts in a message

  182.     local ret = false

  183.     local diff = 0.0

  184.     local transp_rate = 0

  185.     local invisible_blocks = 0

  186.     local zero_size_blocks = 0

  187.     local arg

  188. 

  189.     local normal_len = 0

  190.     local transp_len = 0

  191. 

  192.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  193.       normal_len = normal_len + p:get_length()

  194.       if p:is_html() and p:get_html() then -- if the current part is html part

  195.         local hc = p:get_html() -- we get HTML context

  196. 

  197.         hc:foreach_tag({'font', 'span', 'div', 'p', 'td'}, function(tag, clen, is_leaf)

  198.           local bl = tag:get_extra()

  199.           if bl then

  200.             if not bl['visible'] and is_leaf then

  201.               invisible_blocks = invisible_blocks + 1

  202.             end

  203. 

  204.             if bl['font_size'] and bl['font_size'] == 0 and is_leaf then

  205.               zero_size_blocks = zero_size_blocks + 1

  206.             end

  207. 

  208.             if bl['bgcolor'] and bl['color'] and bl['visible'] and is_leaf then

  209. 

  210.               local color = bl['color']

  211.               local bgcolor = bl['bgcolor']

  212.               -- Should use visual approach here some day

  213.               local diff_r = math.abs(color[1] - bgcolor[1])

  214.               local diff_g = math.abs(color[2] - bgcolor[2])

  215.               local diff_b = math.abs(color[3] - bgcolor[3])

  216.               local r_avg = (color[1] + bgcolor[1]) / 2.0

  217.               -- Square

  218.               diff_r = diff_r * diff_r

  219.               diff_g = diff_g * diff_g

  220.               diff_b = diff_b * diff_b

  221. 

  222.               diff = math.sqrt(2*diff_r + 4*diff_g + 3 * diff_b +

  223.                   (r_avg * (diff_r - diff_b) / 256.0))

  224.               diff = diff / 256.0

  225. 

  226.               if diff < 0.1 then

  227.                 ret = true

  228.                 invisible_blocks = invisible_blocks + 1 -- This block is invisible

  229.                 transp_len = transp_len + clen * (0.1 - diff) * 10.0

  230.                 normal_len = normal_len - clen

  231.                 local tr = transp_len / (normal_len + transp_len)

  232.                 if tr > transp_rate then

  233.                   transp_rate = tr

  234.                   arg = string.format('%s color #%x%x%x bgcolor #%x%x%x',

  235.                     tostring(tag:get_type()),

  236.                     color[1], color[2], color[3],

  237.                     bgcolor[1], bgcolor[2], bgcolor[3])

  238.                 end

  239.               end

  240.             end

  241.           end

  242. 

  243.           return false -- Continue search

  244.         end)

  245. 

  246.       end

  247.     end

  248. 

  249.     if ret then

  250.       transp_rate = transp_len / (normal_len + transp_len)

  251. 

  252.       if transp_rate > 0.1 then

  253.         if transp_rate > 0.5 or transp_rate ~= transp_rate then

  254.           transp_rate = 0.5

  255.         end

  256. 

  257.         task:insert_result('R_WHITE_ON_WHITE', (transp_rate * 2.0), arg)

  258.       end

  259.     end

  260. 

  261.     if invisible_blocks > 0 then

  262.       if invisible_blocks > 10 then

  263.         invisible_blocks = 10

  264.       end

  265.       local rates = { -- From 1 to 10

  266.         0.05,

  267.         0.1,

  268.         0.2,

  269.         0.3,

  270.         0.4,

  271.         0.5,

  272.         0.6,

  273.         0.7,

  274.         0.8,

  275.         1.0,

  276.       }

  277.       task:insert_result('MANY_INVISIBLE_PARTS', rates[invisible_blocks],

  278.           tostring(invisible_blocks))

  279.     end

  280. 

  281.     if zero_size_blocks > 0 then

  282.       if zero_size_blocks > 5 then

  283.         if zero_size_blocks > 10 then

  284.           -- Full score

  285.           task:insert_result('ZERO_FONT', 1.0,

  286.               tostring(zero_size_blocks))

  287.         else

  288.           zero_size_blocks = 5

  289.         end

  290.       end

  291. 

  292.       if zero_size_blocks <= 5 then

  293.         local rates = { -- From 1 to 5

  294.           0.1,

  295.           0.2,

  296.           0.2,

  297.           0.3,

  298.           0.5,

  299.         }

  300.         task:insert_result('ZERO_FONT', rates[zero_size_blocks],

  301.             tostring(zero_size_blocks))

  302.       end

  303.     end

  304.   end,

  305. }

  306. 

  307. rspamd_config:register_symbol{

  308.   type = 'virtual',

  309.   parent = vis_check_id,

  310.   name = 'R_WHITE_ON_WHITE',

  311.   description = 'Message contains low contrast text',

  312.   score = 4.0,

  313.   group = 'html',

  314.   one_shot = true,

  315. }

  316. 

  317. rspamd_config:register_symbol{

  318.   type = 'virtual',

  319.   parent = vis_check_id,

  320.   name = 'ZERO_FONT',

  321.   description = 'Zero sized font used',

  322.   score = 1.0, -- Reached if more than 5 elements have zero size

  323.   one_shot = true,

  324.   group = 'html'

  325. }

  326. 

  327. rspamd_config:register_symbol{

  328.   type = 'virtual',

  329.   parent = vis_check_id,

  330.   name = 'MANY_INVISIBLE_PARTS',

  331.   description = 'Many parts are visually hidden',

  332.   score = 1.0, -- Reached if more than 10 elements are hidden

  333.   one_shot = true,

  334.   group = 'html'

  335. }

  336. 

  337. rspamd_config.EXT_CSS = {

  338.   callback = function(task)

  339.     local regexp_lib = require "rspamd_regexp"

  340.     local re = regexp_lib.create_cached('/^.*\\.css(?:[?#].*)?$/i')

  341.     local tp = task:get_text_parts() -- get text parts in a message

  342.     local ret = false

  343.     for _,p in ipairs(tp) do -- iterate over text parts array using `ipairs`

  344.       if p:is_html() and p:get_html() then -- if the current part is html part

  345.         local hc = p:get_html() -- we get HTML context

  346.         hc:foreach_tag({'link'}, function(tag)

  347.           local bl = tag:get_extra()

  348.           if bl then

  349.             local s = tostring(bl)

  350.             if s and re:match(s) then

  351.               ret = true

  352.             end

  353.           end

  354. 

  355.           return ret -- Continue search

  356.         end)

  357. 

  358.       end

  359.     end

  360. 

  361.     return ret

  362.   end,

  363. 

  364.   score = 1.0,

  365.   group = 'html',

  366.   description = 'Message contains external CSS reference'

  367. }

  368. 

  369. rspamd_config.HTTP_TO_HTTPS = {

  370.   callback = function(task)

  371.     local tp = task:get_text_parts()

  372.     if (not tp) then return false end

  373.     for _,p in ipairs(tp) do

  374.       if p:is_html() then

  375.         local hc = p:get_html()

  376.         if (not hc) then return false end

  377.         local found = false

  378.         hc:foreach_tag('a', function (tag, length)

  379.           -- Skip this loop if we already have a match

  380.           if (found) then return true end

  381.           local c = tag:get_content()

  382.           if (c) then

  383.             c = tostring(c):lower()

  384.             if (not c:match('^http')) then return false end

  385.             local u = tag:get_extra()

  386.             if (not u) then return false end

  387.             u = tostring(u):lower()

  388.             if (not u:match('^http')) then return false end

  389.             if ((c:match('^http:') and u:match('^https:')) or

  390.                 (c:match('^https:') and u:match('^http:')))

  391.             then

  392.               found = true

  393.               return true

  394.             end

  395.           end

  396.           return false

  397.         end)

  398.         if (found) then return true end

  399.         return false

  400.       end

  401.     end

  402.     return false

  403.   end,

  404.   description = 'Anchor text contains different scheme to target URL',

  405.   score = 2.0,

  406.   group = 'html'

  407. }

  408. 

  409. rspamd_config.HTTP_TO_IP = {

  410.   callback = function(task)

  411.     local tp = task:get_text_parts()

  412.     if (not tp) then return false end

  413.     for _,p in ipairs(tp) do

  414.       if p:is_html() then

  415.         local hc = p:get_html()

  416.         if (not hc) then return false end

  417.         local found = false

  418.         hc:foreach_tag('a', function (tag, length)

  419.           if (found) then return true end

  420.           local u = tag:get_extra()

  421.           if (u) then

  422.             u = tostring(u):lower()

  423.             if (u:match('^https?://%d+%.%d+%.%d+%.%d+')) then

  424.               found = true

  425.             end

  426.           end

  427.           return false

  428.         end)

  429.         if found then return true end

  430.         return false

  431.       end

  432.     end

  433.   end,

  434.   description = 'Anchor points to an IP address',

  435.   score = 1.0,

  436.   group = 'html'

  437. }