mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 160 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13030 Commits
30 Branches
Tree: f19f9f3acd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f19f9f3acd'
${ noResults }
rspamd/rules/regexp/compromised_hosts.lua

compromised_hosts.lua 6.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205 
  1. local reconf = config['regexp']

  2. local rspamd_regexp = require 'rspamd_regexp'

  3. local util = require 'rspamd_util'

  4. 

  5. reconf['HAS_PHPMAILER_SIG'] = {

  6.   re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",

  7.   description = "PHPMailer signature",

  8.   group = "compromised_hosts"

  9. }

  10. 

  11. reconf['PHP_SCRIPT_ROOT'] = {

  12.   re = "X-PHP-Originating-Script=/^0:/Hi",

  13.   description = "PHP Script executed by root UID",

  14.   score = 1.0,

  15.   group = "compromised_hosts"

  16. }

  17. 

  18. reconf['HAS_X_POS'] = {

  19.   re = "header_exists('X-PHP-Originating-Script')",

  20.   description = "Has X-PHP-Originating-Script header",

  21.   group = "compromised_hosts"

  22. }

  23. 

  24. reconf['HAS_X_PHP_SCRIPT'] = {

  25.   re = "header_exists('X-PHP-Script')",

  26.   description = "Has X-PHP-Script header",

  27.   group = "compromised_hosts"

  28. }

  29. 

  30. -- X-Source:

  31. -- X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/run/proxyexec/cagefs.sock/socket /bin/cagefs.server

  32. -- X-Source-Dir: silvianimberg.com:/public_html/wp-content/themes/ultimatum

  33. reconf['HAS_X_SOURCE'] = {

  34.   re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')",

  35.   description = "Has X-Source headers",

  36.   group = "compromised_hosts"

  37. }

  38. 

  39. -- X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si

  40. rspamd_config.HAS_X_AS = {

  41.   callback = function (task)

  42.     local xas = task:get_header('X-Authenticated-Sender')

  43.     if not xas then return false end

  44.     local _,_,auth = xas:find('[^:]+:%s(.+)$')

  45.     if auth then

  46.       -- TODO: see if we can parse an e-mail address from auth

  47.       --       and see if it matches the from address or not

  48.       return true, auth

  49.     else

  50.       return true

  51.     end

  52.   end,

  53.   description = 'Has X-Authenticated-Sender header',

  54.   group = "compromised_hosts"

  55. }

  56. 

  57. -- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si

  58. rspamd_config.HAS_X_GMSV = {

  59.   callback = function (task)

  60.     local xgmsv = task:get_header('X-Get-Message-Sender-Via')

  61.     if not xgmsv then return false end

  62.     local _,_,auth = xgmsv:find('authenticated_id: (.+)$')

  63.     if auth then

  64.       -- TODO: see if we can parse an e-mail address from auth

  65.       --       and see if it matches the from address or not.

  66.       return true, auth

  67.     else

  68.       return true

  69.     end

  70.   end,

  71.   description = 'Has X-Get-Message-Sender-Via: header',

  72.   group = "compromised_hosts"

  73. }

  74. 

  75. -- X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

  76. -- X-AntiAbuse: Primary Hostname - accord.host-care.com

  77. -- X-AntiAbuse: Original Domain - swaney.com

  78. -- X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

  79. -- X-AntiAbuse: Sender Address Domain - dropbox.com

  80. reconf['HAS_X_ANTIABUSE'] = {

  81.   re = "header_exists('X-AntiAbuse')",

  82.   description = "Has X-AntiAbuse headers",

  83.   group = "compromised_hosts"

  84. }

  85. 

  86. reconf['X_PHP_EVAL'] = {

  87.   re = "X-PHP-Script=/eval\\(\\)\\'d/Hi || X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi",

  88.   description = "Message sent using eval'd PHP",

  89.   score = 4.0,

  90.   group = "compromised_hosts"

  91. }

  92. 

  93. reconf['HAS_WP_URI'] = {

  94.   re = '/\\/wp-[^\\/]+\\//Ui',

  95.   description = "Contains WordPress URIs",

  96.   one_shot = true,

  97.   group = "compromised_hosts"

  98. }

  99. 

  100. reconf['WP_COMPROMISED'] = {

  101.   re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',

  102.   description = "URL that is pointing to a compromised WordPress installation",

  103.   one_shot = true,

  104.   group = "compromised_hosts"

  105. }

  106. 

  107. reconf['PHP_XPS_PATTERN'] = {

  108.   re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',

  109.   description = "Message contains X-PHP-Script pattern",

  110.   group = "compromised_hosts"

  111. }

  112. 

  113. reconf['HAS_XAW'] = {

  114.   re = "header_exists('X-Authentication-Warning')",

  115.   description = "Has X-Authentication-Warning header",

  116.   group = "compromised_hosts"

  117. }

  118. 

  119. -- X-Authentication-Warning: localhost.localdomain: www-data set sender to info@globalstock.lv using -f

  120. reconf['XAW_SERVICE_ACCT'] = {

  121.   re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www) set sender to\\b/Hi",

  122.   description = "Message originally from a service account",

  123.   score = 1.0,

  124.   group = "compromised_hosts"

  125. }

  126. 

  127. reconf['ENVFROM_SERVICE_ACCT'] = {

  128.   re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)",

  129.   description = "Envelope from is a service account",

  130.   score = 1.0,

  131.   group = "compromised_hosts"

  132. }

  133. 

  134. reconf['HIDDEN_SOURCE_OBJ'] = {

  135.   re = "X-PHP-Script=/\\/\\..+/Hi || X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi || X-Source-Args=/\\/\\..+/Hi",

  136.   description = "UNIX hidden file/directory in path",

  137.   score = 2.0,

  138.   group = "compromised_hosts"

  139. }

  140. 

  141. local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/\\.[A-Za-z0-9]|\\/\\.\\.\\/)/i')

  142. rspamd_config.URI_HIDDEN_PATH = {

  143.   callback = function (task)

  144.     local urls = task:get_urls(false)

  145.     if (urls) then

  146.         for _, url in ipairs(urls) do

  147.             if (not (url:is_subject() and url:is_html_displayed())) then

  148.                 local path = url:get_path()

  149.                 if (hidden_uri_re:match(path)) then

  150.                     -- TODO: need url:is_schemeless() to improve this

  151.                     return true, 1.0, url:get_text()

  152.                 end

  153.             end

  154.         end

  155.     end

  156.   end,

  157.   description = 'Message contains URI with a hidden path',

  158.   score = 1.0,

  159.   group = 'compromised_hosts',

  160. }

  161. 

  162. reconf['MID_RHS_WWW'] = {

  163.   re = "Message-Id=/@www\\./Hi",

  164.   description = "Message-ID from www host",

  165.   score = 0.5,

  166.   group = "compromised_hosts"

  167. }

  168. 

  169. rspamd_config.FROM_SERVICE_ACCT = {

  170.   callback = function (task)

  171.     local re = rspamd_regexp.create_cached('/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i');

  172.     -- From

  173.     local from = task:get_from(2)

  174.     if (from and from[1]) then

  175.       if (re:match(from[1].addr)) then return true end

  176.     end

  177.     -- Sender

  178.     local sender = task:get_header('Sender')

  179.     if sender then

  180.       local s = util.parse_mail_address(sender, task:get_mempool())

  181.       if (s and s[1]) then

  182.         if (re:match(s[1].addr)) then return true end

  183.       end

  184.     end

  185.     -- Reply-To

  186.     local replyto = task:get_header('Reply-To')

  187.     if replyto then

  188.       local rt = util.parse_mail_address(replyto, task:get_mempool())

  189.       if (rt and rt[1]) then

  190.         if (re:match(rt[1].addr)) then return true end

  191.       end

  192.     end

  193.   end,

  194.   description = "Sender/From/Reply-To is a service account",

  195.   score = 1.0,

  196.   group = "compromised_hosts"

  197. }

  198. 

  199. reconf['WWW_DOT_DOMAIN'] = {

  200.   re = "From=/@www\\./Hi || Sender=/@www\\./Hi || Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)",

  201.   description = "From/Sender/Reply-To or Envelope is @www.domain.com",

  202.   score = 0.5,

  203.   group = "compromised_hosts"

  204. }