mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4176 Commits
29 Branches
Tree: ea91b8335d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ea91b8335d'
${ noResults }
rspamd/src/plugins/lua/rbl.lua

rbl.lua 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401 
  1. --[[

  2. Copyright (c) 2011-2015, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. Copyright (c) 2013-2015, Andrew Lewis <nerf@judo.za.org>

  4. All rights reserved.

  5. 

  6. Redistribution and use in source and binary forms, with or without

  7. modification, are permitted provided that the following conditions are met:

  8. 

  9. 1. Redistributions of source code must retain the above copyright notice, this

  10. list of conditions and the following disclaimer.

  11. 

  12. 2. Redistributions in binary form must reproduce the above copyright notice,

  13. this list of conditions and the following disclaimer in the documentation

  14. and/or other materials provided with the distribution.

  15. 

  16. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

  17. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

  18. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

  19. DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

  20. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  21. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

  22. SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

  23. CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

  24. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

  25. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  26. ]]--

  27. 

  28. -- This plugin implements various types of RBL checks

  29. -- Documentation can be found here:

  30. -- https://rspamd.com/doc/modules/rbl.html

  31. 

  32. local rbls = {}

  33. local local_exclusions = nil

  34. local private_ips = nil

  35. 

  36. local rspamd_logger = require 'rspamd_logger'

  37. local rspamd_ip = require 'rspamd_ip'

  38. 

  39. local function validate_dns(lstr)

  40.   if lstr:match('%.%.') then

  41.     return false

  42.   end

  43.   for v in lstr:gmatch('[^%.]+') do

  44.     if not v:match('^[%w-]+$') or v:len() > 63

  45.       or v:match('^-') or v:match('-$') then

  46.       return false

  47.     end

  48.   end

  49.   return true

  50. end

  51. 

  52. local function is_private_ip(rip)

  53.   if private_ips and private_ips:get_key(rip) then

  54.     return true

  55.   end

  56.   return false

  57. end

  58. 

  59. local function is_excluded_ip(rip)

  60.   if local_exclusions and local_exclusions:get_key(rip) then

  61.     return true

  62.   end

  63.   return false

  64. end

  65. 

  66. local function ip_to_rbl(ip, rbl)

  67.   return table.concat(ip:inversed_str_octets(), '.') .. '.' .. rbl

  68. end

  69. 

  70. local function rbl_cb (task)

  71.   local function rbl_dns_cb(resolver, to_resolve, results, err, key)

  72.     if results then

  73.       local thisrbl = nil

  74.       for k,r in pairs(rbls) do

  75.         if k == key then

  76.           thisrbl = r

  77.           break

  78.         end

  79.       end

  80.       if thisrbl ~= nil then

  81.         if thisrbl['returncodes'] == nil then

  82.           if thisrbl['symbol'] ~= nil then

  83.             task:insert_result(thisrbl['symbol'], 1)

  84.           end

  85.         else

  86.           for _,result in pairs(results) do 

  87.             local ipstr = result:to_string()

  88.             local foundrc = false

  89.             for s,i in pairs(thisrbl['returncodes']) do

  90.               if type(i) == 'string' then

  91.                 if string.find(ipstr, '^' .. i .. '$') then

  92.                   foundrc = true

  93.                   task:insert_result(s, 1)

  94.                   break

  95.                 end

  96.               elseif type(i) == 'table' then

  97.                 for _,v in pairs(i) do

  98.                   if string.find(ipstr, '^' .. v .. '$') then

  99.                     foundrc = true

  100.                     task:insert_result(s, 1)

  101.                     break

  102.                   end

  103.                 end

  104.               end

  105.             end

  106.             if not foundrc then

  107.               if thisrbl['unknown'] and thisrbl['symbol'] then

  108.                 task:insert_result(thisrbl['symbol'], 1)

  109.               else

  110.                 rspamd_logger.err('RBL ' .. thisrbl['rbl'] ..

  111.                   ' returned unknown result ' .. ipstr)

  112.               end

  113.             end

  114.           end

  115.         end

  116.       end

  117.     end

  118.     task:inc_dns_req()

  119.   end

  120. 

  121.   local havegot = {}

  122.   local notgot = {}

  123. 

  124.   for k,rbl in pairs(rbls) do

  125. 

  126.     (function()

  127.       if rbl['exclude_users'] then

  128.         if not havegot['user'] and not notgot['user'] then

  129. 	  havegot['user'] = task:get_user()

  130. 	  if havegot['user'] == nil then

  131. 	    notgot['user'] = true

  132. 	  end

  133.         end

  134.         if havegot['user'] ~= nil then

  135. 	  return

  136.         end

  137.       end

  138. 

  139.       if (rbl['exclude_local'] or rbl['exclude_private_ips']) and not notgot['from'] then

  140.         if not havegot['from'] then

  141.           havegot['from'] = task:get_from_ip()

  142.           if not havegot['from']:is_valid() then

  143.             notgot['from'] = true

  144.           end

  145.         end

  146.         if havegot['from'] and not notgot['from'] and ((rbl['exclude_local'] and

  147.           is_excluded_ip(havegot['from'])) or (rbl['exclude_private_ips'] and

  148.           is_private_ip(havegot['from']))) then

  149.           return

  150.         end

  151.       end

  152. 

  153.       if rbl['helo'] then

  154. 	(function()

  155. 	  if notgot['helo'] then

  156. 	    return

  157. 	  end

  158. 	  if not havegot['helo'] then

  159. 	    havegot['helo'] = task:get_helo()

  160. 	    if havegot['helo'] == nil or

  161.               not validate_dns(havegot['helo']) then

  162. 	      notgot['helo'] = true

  163. 	      return

  164. 	    end

  165. 	  end

  166. 	  task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  167. 	    havegot['helo'] .. '.' .. rbl['rbl'], rbl_dns_cb, k)

  168. 	end)()

  169.       end

  170. 

  171.       if rbl['emails'] then

  172.         (function()

  173.           if notgot['emails'] then

  174.             return

  175.           end

  176.           if not havegot['emails'] then

  177.             havegot['emails'] = task:get_emails()

  178.             if havegot['emails'] == nil then

  179.               notgot['emails'] = true

  180.               return

  181.             end

  182.             local cleanList = {}

  183.             for _, e in pairs(havegot['emails']) do

  184.               local localpart = e:get_user()

  185.               local domainpart = e:get_host()

  186.               if rbl['emails'] == 'domain_only' then

  187.                 if not cleanList[domainpart] and validate_dns(domainpart) then

  188.                   cleanList[domainpart] = true

  189.                 end

  190.               else

  191.                 if validate_dns(localpart) and validate_dns(domainpart) then

  192.                   table.insert(cleanList, localpart .. '.' .. domainpart)

  193.                 end

  194.               end 

  195.             end

  196.             havegot['emails'] = cleanList

  197.             if not next(havegot['emails']) then

  198.               notgot['emails'] = true

  199.               return

  200.             end

  201.           end

  202.           if rbl['emails'] == 'domain_only' then

  203.             for domain, _ in pairs(havegot['emails']) do

  204.               task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  205.                 domain .. '.' .. rbl['rbl'], rbl_dns_cb, k)

  206.             end

  207.           else

  208.             for _, email in pairs(havegot['emails']) do

  209.               task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  210.                 email .. '.' .. rbl['rbl'], rbl_dns_cb, k)

  211.             end

  212.           end

  213.         end)()

  214.       end

  215. 

  216.       if rbl['rdns'] then

  217. 	(function()

  218. 	  if notgot['rdns'] then

  219. 	    return

  220. 	  end

  221. 	  if not havegot['rdns'] then

  222. 	    havegot['rdns'] = task:get_hostname()

  223. 	    if havegot['rdns'] == nil or havegot['rdns'] == 'unknown' then

  224. 	      notgot['rdns'] = true

  225. 	      return

  226. 	    end

  227. 	  end

  228. 	  task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  229. 	    havegot['rdns'] .. '.' .. rbl['rbl'], rbl_dns_cb, k)

  230. 	end)()

  231.       end

  232. 

  233.       if rbl['from'] then

  234. 	(function()

  235. 	  if notgot['from'] then

  236. 	    return

  237. 	  end

  238. 	  if not havegot['from'] then

  239. 	    havegot['from'] = task:get_from_ip()

  240. 	    if not havegot['from']:is_valid() then

  241. 	      notgot['from'] = true

  242. 	      return

  243. 	    end

  244. 	  end

  245. 	  if (havegot['from']:get_version() == 6 and rbl['ipv6']) or

  246. 	    (havegot['from']:get_version() == 4 and rbl['ipv4']) then

  247. 	    task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  248. 	      ip_to_rbl(havegot['from'], rbl['rbl']), rbl_dns_cb, k)

  249. 	  end

  250. 	end)()

  251.       end

  252. 

  253.       if rbl['received'] then

  254. 	(function()

  255. 	  if notgot['received'] then

  256. 	    return

  257. 	  end

  258. 	  if not havegot['received'] then

  259. 	    havegot['received'] = task:get_received_headers()

  260. 	    if next(havegot['received']) == nil then

  261. 	      notgot['received'] = true

  262. 	      return

  263. 	    end

  264. 	  end

  265. 	  for _,rh in ipairs(havegot['received']) do

  266. 	    if rh['real_ip'] and rh['real_ip']:is_valid() then

  267.               if ((rh['real_ip']:get_version() == 6 and rbl['ipv6']) or

  268.                 (rh['real_ip']:get_version() == 4 and rbl['ipv4'])) and

  269.                 ((rbl['exclude_private_ips'] and not is_private_ip(rh['real_ip'])) or

  270.                 not rbl['exclude_private_ips']) and ((rbl['exclude_local_ips'] and

  271.                 not is_excluded_ip(rh['real_ip'])) or not rbl['exclude_local_ips']) then

  272.                   task:get_resolver():resolve_a(task:get_session(), task:get_mempool(),

  273.                     ip_to_rbl(rh['real_ip'], rbl['rbl']), rbl_dns_cb, k)

  274.               end

  275. 	    end

  276. 	  end

  277. 	end)()

  278.       end

  279.     end)()

  280.   end

  281. end

  282. 

  283. -- Registration

  284. if type(rspamd_config.get_api_version) ~= 'nil' then

  285.   if rspamd_config:get_api_version() >= 1 then

  286.     rspamd_config:register_module_option('rbl', 'rbls', 'map')

  287.     rspamd_config:register_module_option('rbl', 'default_ipv4', 'string')

  288.     rspamd_config:register_module_option('rbl', 'default_ipv6', 'string')

  289.     rspamd_config:register_module_option('rbl', 'default_received', 'string')

  290.     rspamd_config:register_module_option('rbl', 'default_from', 'string')

  291.     rspamd_config:register_module_option('rbl', 'default_rdns', 'string')

  292.     rspamd_config:register_module_option('rbl', 'default_helo', 'string')

  293.     rspamd_config:register_module_option('rbl', 'default_unknown', 'string')

  294.     rspamd_config:register_module_option('rbl', 'default_exclude_users', 'string')

  295.     rspamd_config:register_module_option('rbl', 'default_exclude_private_ips', 'string')

  296.     rspamd_config:register_module_option('rbl', 'local_exclude_ip_map', 'string')

  297.     rspamd_config:register_module_option('rbl', 'default_exclude_local', 'string')

  298.     rspamd_config:register_module_option('rbl', 'private_ips', 'string')

  299.     rspamd_config:register_module_option('rbl', 'default_emails', 'string')

  300.     rspamd_config:register_module_option('rbl', 'default_is_whitelist', 'string')

  301.     rspamd_config:register_module_option('rbl', 'default_ignore_whitelists', 'string')

  302.   end

  303. end

  304. 

  305. -- Configuration

  306. local opts = rspamd_config:get_all_opt('rbl')

  307. if not opts or type(opts) ~= 'table' then

  308.   return

  309. end

  310. 

  311. -- Plugin defaults should not be changed - override these in config

  312. -- New defaults should not alter behaviour

  313. default_defaults = {

  314.   ['default_ipv4'] = {[1] = true, [2] = 'ipv4'},

  315.   ['default_ipv6'] = {[1] = false, [2] = 'ipv6'},

  316.   ['default_received'] = {[1] = true, [2] = 'received'},

  317.   ['default_from'] = {[1] = false, [2] = 'from'},

  318.   ['default_unknown'] = {[1] = false, [2] = 'unknown'},

  319.   ['default_rdns'] = {[1] = false, [2] = 'rdns'},

  320.   ['default_helo'] = {[1] = false, [2] = 'helo'},

  321.   ['default_emails'] = {[1] = false, [2] = 'emails'},

  322.   ['default_exclude_users'] = {[1] = false, [2] = 'exclude_users'},

  323.   ['default_exclude_private_ips'] = {[1] = true, [2] = 'exclude_private_ips'},

  324.   ['default_exclude_users'] = {[1] = false, [2] = 'exclude_users'},

  325.   ['default_exclude_local'] = {[1] = true, [2] = 'exclude_local'},

  326.   ['default_is_whitelist'] = {[1] = false, [2] = 'is_whitelist'},

  327.   ['default_ignore_whitelist'] = {[1] = false, [2] = 'ignore_whitelists'},

  328. }

  329. for default, default_v in pairs(default_defaults) do

  330.   if opts[default] == nil then

  331.     opts[default] = default_v[1]

  332.   end

  333. end

  334. 

  335. if(opts['local_exclude_ip_map'] ~= nil) then

  336.   local_exclusions = rspamd_config:add_radix_map(opts['local_exclude_ip_map'])

  337. end

  338. if(opts['private_ips'] ~= nil) then

  339.   private_ips = rspamd_config:radix_from_config('rbl', 'private_ips')

  340. end

  341. 

  342. local white_symbols = {}

  343. local black_symbols = {}

  344. 

  345. for key,rbl in pairs(opts['rbls']) do

  346.   for default, default_v in pairs(default_defaults) do

  347.     if(rbl[default_v[2]] == nil) then

  348.       rbl[default_v[2]] = opts[default]

  349.     end

  350.   end

  351.   if type(rbl['returncodes']) == 'table' then

  352.     for s,_ in pairs(rbl['returncodes']) do

  353.       if type(rspamd_config.get_api_version) ~= 'nil' then

  354.         rspamd_config:register_virtual_symbol(s, 1)

  355.         if(rbl['is_whitelist']) then

  356.           if type(rbl['whitelist_exception']) == 'string' then

  357.             if (rbl['whitelist_exception'] ~= s) then

  358.               table.insert(white_symbols, s)

  359.             end

  360.           elseif type(rbl['whitelist_exception']) == 'table' then

  361.             local foundException = false

  362.             for _, e in pairs(rbl['whitelist_exception']) do

  363.               if e == s then

  364.                 foundException = true

  365.                 break

  366.               end

  367.             end

  368.             if not foundException then

  369.               table.insert(white_symbols, s)

  370.             end

  371.           end

  372.         else

  373.           table.insert(black_symbols, s)

  374.         end

  375.       end

  376.     end

  377.   end

  378.   if not rbl['symbol'] and type(rbl['returncodes']) ~= 'nil' and not rbl['unknown'] then

  379.     rbl['symbol'] = key

  380.   end

  381.   if type(rspamd_config.get_api_version) ~= 'nil' and rbl['symbol'] then

  382.     rspamd_config:register_virtual_symbol(rbl['symbol'], 1)

  383.     if(rbl['is_whitelist']) then

  384.       table.insert(white_symbols, rbl['symbol'])

  385.     else

  386.       if rbl['ignore_whitelists'] == false then

  387.         table.insert(black_symbols, rbl['symbol'])

  388.       end

  389.     end

  390.   end

  391.   rbls[key] = rbl

  392. end

  393. for _, w in pairs(white_symbols) do

  394.   for _, b in pairs(black_symbols) do

  395.     csymbol = 'RBL_COMPOSITE_' .. w .. '_' .. b

  396.     rspamd_config:set_metric_symbol(csymbol, 0, 'Autogenerated composite')

  397.     rspamd_config:add_composite(csymbol, w .. ' & ' .. b)

  398.     rspamd_config:register_virtual_symbol(csymbol, 1)

  399.   end

  400. end

  401. rspamd_config:register_callback_symbol_priority('RBL', 1.0, 0, rbl_cb)