mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19118 Commits
29 Branches
Tree: 7afa0694da
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7afa0694da'
${ noResults }
rspamd/rules/regexp/compromised_hosts.lua

compromised_hosts.lua 6.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214 
  1. local reconf = config['regexp']

  2. local rspamd_regexp = require 'rspamd_regexp'

  3. local util = require 'rspamd_util'

  4. 

  5. reconf['HAS_PHPMAILER_SIG'] = {

  6.   -- PHPMailer 6.0.0 and older used hex hash in boundary:

  7.   -- boundary="b1_2a45d5e29f78d3408e318878b049f474"

  8.   -- Since 6.0.1 it uses base64 (without =+/):

  9.   -- boundary="b1_uBN0UPD3n6RU04VPxI54tENiDgaCGoh15l9s73oFnlM"

  10.   -- boundary="b1_Ez5tmpb4bSqknyUZ1B1hIvLAfR1MlspDEKGioCOXc"

  11.   -- https://github.com/PHPMailer/PHPMailer/blob/v6.4.0/src/PHPMailer.php#L2660

  12.   re = [[X-Mailer=/^PHPMailer /H || Content-Type=/boundary="b1_[0-9a-zA-Z]+"/H]],

  13.   description = "PHPMailer signature",

  14.   group = "compromised_hosts"

  15. }

  16. 

  17. reconf['PHP_SCRIPT_ROOT'] = {

  18.   re = "X-PHP-Originating-Script=/^0:/Hi",

  19.   description = "PHP Script executed by root UID",

  20.   score = 1.0,

  21.   group = "compromised_hosts"

  22. }

  23. 

  24. reconf['HAS_X_POS'] = {

  25.   re = "header_exists('X-PHP-Originating-Script')",

  26.   description = "Has X-PHP-Originating-Script header",

  27.   group = "compromised_hosts"

  28. }

  29. 

  30. reconf['HAS_X_PHP_SCRIPT'] = {

  31.   re = "header_exists('X-PHP-Script')",

  32.   description = "Has X-PHP-Script header",

  33.   group = "compromised_hosts"

  34. }

  35. 

  36. -- X-Source:

  37. -- X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/run/proxyexec/cagefs.sock/socket /bin/cagefs.server

  38. -- X-Source-Dir: silvianimberg.com:/public_html/wp-content/themes/ultimatum

  39. reconf['HAS_X_SOURCE'] = {

  40.   re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')",

  41.   description = "Has X-Source headers",

  42.   group = "compromised_hosts"

  43. }

  44. 

  45. -- X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si

  46. rspamd_config.HAS_X_AS = {

  47.   callback = function (task)

  48.     local xas = task:get_header('X-Authenticated-Sender')

  49.     if not xas then return false end

  50.     local _,_,auth = xas:find('[^:]+:%s(.+)$')

  51.     if auth then

  52.       -- TODO: see if we can parse an e-mail address from auth

  53.       --       and see if it matches the from address or not

  54.       return true, auth

  55.     else

  56.       return true

  57.     end

  58.   end,

  59.   description = 'Has X-Authenticated-Sender header',

  60.   group = "compromised_hosts",

  61.   score = 0.0

  62. }

  63. 

  64. -- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si

  65. rspamd_config.HAS_X_GMSV = {

  66.   callback = function (task)

  67.     local xgmsv = task:get_header('X-Get-Message-Sender-Via')

  68.     if not xgmsv then return false end

  69.     local _,_,auth = xgmsv:find('authenticated_id: (.+)$')

  70.     if auth then

  71.       -- TODO: see if we can parse an e-mail address from auth

  72.       --       and see if it matches the from address or not.

  73.       return true, auth

  74.     else

  75.       return true

  76.     end

  77.   end,

  78.   description = 'Has X-Get-Message-Sender-Via: header',

  79.   group = "compromised_hosts",

  80.   score = 0.0,

  81. }

  82. 

  83. -- X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

  84. -- X-AntiAbuse: Primary Hostname - accord.host-care.com

  85. -- X-AntiAbuse: Original Domain - swaney.com

  86. -- X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

  87. -- X-AntiAbuse: Sender Address Domain - dropbox.com

  88. reconf['HAS_X_ANTIABUSE'] = {

  89.   re = "header_exists('X-AntiAbuse')",

  90.   description = "Has X-AntiAbuse headers",

  91.   group = "compromised_hosts"

  92. }

  93. 

  94. reconf['X_PHP_EVAL'] = {

  95.   re = [[X-PHP-Script=/eval\(\)'d code/H || X-PHP-Originating-Script=/eval\(\)'d code/H]],

  96.   description = "Message sent using eval'd PHP",

  97.   score = 4.0,

  98.   group = "compromised_hosts"

  99. }

  100. 

  101. reconf['HAS_WP_URI'] = {

  102.   re = '/\\/wp-[^\\/]+\\//Ui',

  103.   description = "Contains WordPress URIs",

  104.   one_shot = true,

  105.   group = "compromised_hosts"

  106. }

  107. 

  108. reconf['WP_COMPROMISED'] = {

  109.   re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',

  110.   description = "URL that is pointing to a compromised WordPress installation",

  111.   one_shot = true,

  112.   group = "compromised_hosts"

  113. }

  114. 

  115. reconf['PHP_XPS_PATTERN'] = {

  116.   re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',

  117.   description = "Message contains X-PHP-Script pattern",

  118.   group = "compromised_hosts"

  119. }

  120. 

  121. reconf['HAS_XAW'] = {

  122.   re = "header_exists('X-Authentication-Warning')",

  123.   description = "Has X-Authentication-Warning header",

  124.   group = "compromised_hosts"

  125. }

  126. 

  127. -- X-Authentication-Warning: localhost.localdomain: www-data set sender to info@globalstock.lv using -f

  128. reconf['XAW_SERVICE_ACCT'] = {

  129.   re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www) set sender to\\b/Hi",

  130.   description = "Message originally from a service account",

  131.   score = 1.0,

  132.   group = "compromised_hosts"

  133. }

  134. 

  135. reconf['ENVFROM_SERVICE_ACCT'] = {

  136.   re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)",

  137.   description = "Envelope from is a service account",

  138.   score = 1.0,

  139.   group = "compromised_hosts"

  140. }

  141. 

  142. reconf['HIDDEN_SOURCE_OBJ'] = {

  143.   re = "X-PHP-Script=/\\/\\..+/Hi || X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi || X-Source-Args=/\\/\\..+/Hi",

  144.   description = "UNIX hidden file/directory in path",

  145.   score = 2.0,

  146.   group = "compromised_hosts"

  147. }

  148. 

  149. local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/'..

  150.     '\\.[A-Za-z0-9]|\\/\\.\\.\\/)/i')

  151. rspamd_config.URI_HIDDEN_PATH = {

  152.   callback = function (task)

  153.     local urls = task:get_urls(false)

  154.     if (urls) then

  155.         for _, url in ipairs(urls) do

  156.             if (not (url:is_subject() and url:is_html_displayed())) then

  157.                 local path = url:get_path()

  158.                 if (hidden_uri_re:match(path)) then

  159.                     -- TODO: need url:is_schemeless() to improve this

  160.                     return true, 1.0, url:get_text()

  161.                 end

  162.             end

  163.         end

  164.     end

  165.   end,

  166.   description = 'Message contains URI with a hidden path',

  167.   score = 1.0,

  168.   group = 'compromised_hosts',

  169. }

  170. 

  171. reconf['MID_RHS_WWW'] = {

  172.   re = "Message-Id=/@www\\./Hi",

  173.   description = "Message-ID from www host",

  174.   score = 0.5,

  175.   group = "compromised_hosts"

  176. }

  177. 

  178. rspamd_config.FROM_SERVICE_ACCT = {

  179.   callback = function (task)

  180.     local re = rspamd_regexp.create_cached('/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i');

  181.     -- From

  182.     local from = task:get_from(2)

  183.     if (from and from[1]) then

  184.       if (re:match(from[1].addr)) then return true end

  185.     end

  186.     -- Sender

  187.     local sender = task:get_header('Sender')

  188.     if sender then

  189.       local s = util.parse_mail_address(sender, task:get_mempool())

  190.       if (s and s[1]) then

  191.         if (re:match(s[1].addr)) then return true end

  192.       end

  193.     end

  194.     -- Reply-To

  195.     local replyto = task:get_header('Reply-To')

  196.     if replyto then

  197.       local rt = util.parse_mail_address(replyto, task:get_mempool())

  198.       if (rt and rt[1]) then

  199.         if (re:match(rt[1].addr)) then return true end

  200.       end

  201.     end

  202.   end,

  203.   description = "Sender/From/Reply-To is a service account",

  204.   score = 1.0,

  205.   group = "compromised_hosts"

  206. }

  207. 

  208. reconf['WWW_DOT_DOMAIN'] = {

  209.   re = "From=/@www\\./Hi || Sender=/@www\\./Hi || Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)",

  210.   description = "From/Sender/Reply-To or Envelope is @www.domain.com",

  211.   score = 0.5,

  212.   group = "compromised_hosts"

  213. }