mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14569 Commits
28 Branches
Tree: e6e72472ad
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e6e72472ad'
${ noResults }
rspamd/rules/regexp/compromised_hosts.lua

compromised_hosts.lua 6.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208 
  1. local reconf = config['regexp']

  2. local rspamd_regexp = require 'rspamd_regexp'

  3. local util = require 'rspamd_util'

  4. 

  5. reconf['HAS_PHPMAILER_SIG'] = {

  6.   re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",

  7.   description = "PHPMailer signature",

  8.   group = "compromised_hosts"

  9. }

  10. 

  11. reconf['PHP_SCRIPT_ROOT'] = {

  12.   re = "X-PHP-Originating-Script=/^0:/Hi",

  13.   description = "PHP Script executed by root UID",

  14.   score = 1.0,

  15.   group = "compromised_hosts"

  16. }

  17. 

  18. reconf['HAS_X_POS'] = {

  19.   re = "header_exists('X-PHP-Originating-Script')",

  20.   description = "Has X-PHP-Originating-Script header",

  21.   group = "compromised_hosts"

  22. }

  23. 

  24. reconf['HAS_X_PHP_SCRIPT'] = {

  25.   re = "header_exists('X-PHP-Script')",

  26.   description = "Has X-PHP-Script header",

  27.   group = "compromised_hosts"

  28. }

  29. 

  30. -- X-Source:

  31. -- X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/run/proxyexec/cagefs.sock/socket /bin/cagefs.server

  32. -- X-Source-Dir: silvianimberg.com:/public_html/wp-content/themes/ultimatum

  33. reconf['HAS_X_SOURCE'] = {

  34.   re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')",

  35.   description = "Has X-Source headers",

  36.   group = "compromised_hosts"

  37. }

  38. 

  39. -- X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si

  40. rspamd_config.HAS_X_AS = {

  41.   callback = function (task)

  42.     local xas = task:get_header('X-Authenticated-Sender')

  43.     if not xas then return false end

  44.     local _,_,auth = xas:find('[^:]+:%s(.+)$')

  45.     if auth then

  46.       -- TODO: see if we can parse an e-mail address from auth

  47.       --       and see if it matches the from address or not

  48.       return true, auth

  49.     else

  50.       return true

  51.     end

  52.   end,

  53.   description = 'Has X-Authenticated-Sender header',

  54.   group = "compromised_hosts",

  55.   score = 0.0

  56. }

  57. 

  58. -- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si

  59. rspamd_config.HAS_X_GMSV = {

  60.   callback = function (task)

  61.     local xgmsv = task:get_header('X-Get-Message-Sender-Via')

  62.     if not xgmsv then return false end

  63.     local _,_,auth = xgmsv:find('authenticated_id: (.+)$')

  64.     if auth then

  65.       -- TODO: see if we can parse an e-mail address from auth

  66.       --       and see if it matches the from address or not.

  67.       return true, auth

  68.     else

  69.       return true

  70.     end

  71.   end,

  72.   description = 'Has X-Get-Message-Sender-Via: header',

  73.   group = "compromised_hosts",

  74.   score = 0.0,

  75. }

  76. 

  77. -- X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

  78. -- X-AntiAbuse: Primary Hostname - accord.host-care.com

  79. -- X-AntiAbuse: Original Domain - swaney.com

  80. -- X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

  81. -- X-AntiAbuse: Sender Address Domain - dropbox.com

  82. reconf['HAS_X_ANTIABUSE'] = {

  83.   re = "header_exists('X-AntiAbuse')",

  84.   description = "Has X-AntiAbuse headers",

  85.   group = "compromised_hosts"

  86. }

  87. 

  88. reconf['X_PHP_EVAL'] = {

  89.   re = "X-PHP-Script=/eval\\(\\)\\'d/Hi || X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi",

  90.   description = "Message sent using eval'd PHP",

  91.   score = 4.0,

  92.   group = "compromised_hosts"

  93. }

  94. 

  95. reconf['HAS_WP_URI'] = {

  96.   re = '/\\/wp-[^\\/]+\\//Ui',

  97.   description = "Contains WordPress URIs",

  98.   one_shot = true,

  99.   group = "compromised_hosts"

  100. }

  101. 

  102. reconf['WP_COMPROMISED'] = {

  103.   re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',

  104.   description = "URL that is pointing to a compromised WordPress installation",

  105.   one_shot = true,

  106.   group = "compromised_hosts"

  107. }

  108. 

  109. reconf['PHP_XPS_PATTERN'] = {

  110.   re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',

  111.   description = "Message contains X-PHP-Script pattern",

  112.   group = "compromised_hosts"

  113. }

  114. 

  115. reconf['HAS_XAW'] = {

  116.   re = "header_exists('X-Authentication-Warning')",

  117.   description = "Has X-Authentication-Warning header",

  118.   group = "compromised_hosts"

  119. }

  120. 

  121. -- X-Authentication-Warning: localhost.localdomain: www-data set sender to info@globalstock.lv using -f

  122. reconf['XAW_SERVICE_ACCT'] = {

  123.   re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www) set sender to\\b/Hi",

  124.   description = "Message originally from a service account",

  125.   score = 1.0,

  126.   group = "compromised_hosts"

  127. }

  128. 

  129. reconf['ENVFROM_SERVICE_ACCT'] = {

  130.   re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)",

  131.   description = "Envelope from is a service account",

  132.   score = 1.0,

  133.   group = "compromised_hosts"

  134. }

  135. 

  136. reconf['HIDDEN_SOURCE_OBJ'] = {

  137.   re = "X-PHP-Script=/\\/\\..+/Hi || X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi || X-Source-Args=/\\/\\..+/Hi",

  138.   description = "UNIX hidden file/directory in path",

  139.   score = 2.0,

  140.   group = "compromised_hosts"

  141. }

  142. 

  143. local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/'..

  144.     '\\.[A-Za-z0-9]|\\/\\.\\.\\/)/i')

  145. rspamd_config.URI_HIDDEN_PATH = {

  146.   callback = function (task)

  147.     local urls = task:get_urls(false)

  148.     if (urls) then

  149.         for _, url in ipairs(urls) do

  150.             if (not (url:is_subject() and url:is_html_displayed())) then

  151.                 local path = url:get_path()

  152.                 if (hidden_uri_re:match(path)) then

  153.                     -- TODO: need url:is_schemeless() to improve this

  154.                     return true, 1.0, url:get_text()

  155.                 end

  156.             end

  157.         end

  158.     end

  159.   end,

  160.   description = 'Message contains URI with a hidden path',

  161.   score = 1.0,

  162.   group = 'compromised_hosts',

  163. }

  164. 

  165. reconf['MID_RHS_WWW'] = {

  166.   re = "Message-Id=/@www\\./Hi",

  167.   description = "Message-ID from www host",

  168.   score = 0.5,

  169.   group = "compromised_hosts"

  170. }

  171. 

  172. rspamd_config.FROM_SERVICE_ACCT = {

  173.   callback = function (task)

  174.     local re = rspamd_regexp.create_cached('/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i');

  175.     -- From

  176.     local from = task:get_from(2)

  177.     if (from and from[1]) then

  178.       if (re:match(from[1].addr)) then return true end

  179.     end

  180.     -- Sender

  181.     local sender = task:get_header('Sender')

  182.     if sender then

  183.       local s = util.parse_mail_address(sender, task:get_mempool())

  184.       if (s and s[1]) then

  185.         if (re:match(s[1].addr)) then return true end

  186.       end

  187.     end

  188.     -- Reply-To

  189.     local replyto = task:get_header('Reply-To')

  190.     if replyto then

  191.       local rt = util.parse_mail_address(replyto, task:get_mempool())

  192.       if (rt and rt[1]) then

  193.         if (re:match(rt[1].addr)) then return true end

  194.       end

  195.     end

  196.   end,

  197.   description = "Sender/From/Reply-To is a service account",

  198.   score = 1.0,

  199.   group = "compromised_hosts"

  200. }

  201. 

  202. reconf['WWW_DOT_DOMAIN'] = {

  203.   re = "From=/@www\\./Hi || Sender=/@www\\./Hi || Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)",

  204.   description = "From/Sender/Reply-To or Envelope is @www.domain.com",

  205.   score = 0.5,

  206.   group = "compromised_hosts"

  207. }