diff options
| author | moisseev <moiseev@mezonplus.ru> | 2020-05-28 13:26:07 +0300 |
|---|---|---|
| committer | moisseev <moiseev@mezonplus.ru> | 2020-05-28 13:48:28 +0300 |
| commit | d353d54ae593a2a7e047c0d2d3a3ce476c8ec528 (patch) | |
| tree | bb99ed91a09459f670a5807e581ee5d00acc2e7c | |
| parent | 5de369678bd0b1314bdbf9ac056042ba4655cf5e (diff) | |
| download | rspamd-d353d54ae593a2a7e047c0d2d3a3ce476c8ec528.tar.gz rspamd-d353d54ae593a2a7e047c0d2d3a3ce476c8ec528.zip | |
[Minor] Penalize EXE files in RAR archives
that have generic split file extensions (e.g. .001)
| -rw-r--r-- | conf/scores.d/mime_types_group.conf | 5 | ||||
| -rw-r--r-- | src/plugins/lua/mime_types.lua | 21 |
2 files changed, 24 insertions, 2 deletions
diff --git a/conf/scores.d/mime_types_group.conf b/conf/scores.d/mime_types_group.conf index 3a13cde79..b9e373600 100644 --- a/conf/scores.d/mime_types_group.conf +++ b/conf/scores.d/mime_types_group.conf @@ -43,6 +43,11 @@ symbols = { description = "Encrypted archive in a message"; one_shot = true; } + "MIME_EXE_IN_GEN_SPLIT_RAR" { + weight = 5.0; + description = "EXE file in RAR archive with generic split extension (e.g. .001)"; + one_shot = true; + } "MIME_ARCHIVE_IN_ARCHIVE" { weight = 5.0; description = "Archive within another archive"; diff --git a/src/plugins/lua/mime_types.lua b/src/plugins/lua/mime_types.lua index 564241cc1..29470e4ea 100644 --- a/src/plugins/lua/mime_types.lua +++ b/src/plugins/lua/mime_types.lua @@ -35,6 +35,7 @@ local settings = { symbol_good = 'MIME_GOOD', symbol_attachment = 'MIME_BAD_ATTACHMENT', symbol_encrypted_archive = 'MIME_ENCRYPTED_ARCHIVE', + symbol_exe_in_gen_split_rar = 'MIME_EXE_IN_GEN_SPLIT_RAR', symbol_archive_in_archive = 'MIME_ARCHIVE_IN_ARCHIVE', symbol_double_extension = 'MIME_DOUBLE_BAD_EXTENSION', symbol_bad_extension = 'MIME_BAD_EXTENSION', @@ -434,6 +435,12 @@ local function check_mime_type(task) end if check then + local is_gen_split_rar = false + if filename then + local ext = gen_extension(filename) + is_gen_split_rar = string.match(ext, '^%d%d%d$') and arch:get_type() == 'rar' + end + local fl = arch:get_files_full(1000) local nfiles = #fl @@ -447,8 +454,12 @@ local function check_mime_type(task) end if f['name'] then - check_filename(f['name'], nil, - true, p, nil, nfiles) + if is_gen_split_rar and gen_extension(f['name']) == 'exe' then + task:insert_result(settings['symbol_exe_in_gen_split_rar'], 1.0, f['name']) + else + check_filename(f['name'], nil, + true, p, nil, nfiles) + end end end @@ -611,6 +622,12 @@ if opts then }) rspamd_config:register_symbol({ type = 'virtual', + name = settings['symbol_exe_in_gen_split_rar'], + parent = id, + group = 'mime_types', + }) + rspamd_config:register_symbol({ + type = 'virtual', name = settings['symbol_archive_in_archive'], parent = id, group = 'mime_types', |