diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-11-29 18:14:14 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-11-29 18:14:14 +0000 |
commit | 885333db66718904c890207093c986ad4efc0689 (patch) | |
tree | f007e6c5837ce4e6d9f5617cb75ef19a82ee1940 | |
parent | ee81d64e6f30d3f91913019b79d12326052ce9ed (diff) | |
parent | 75f75b81d35d7fea6747cba466bdac0bd063e153 (diff) | |
download | rspamd-885333db66718904c890207093c986ad4efc0689.tar.gz rspamd-885333db66718904c890207093c986ad4efc0689.zip |
Merge pull request #1205 from smfreegard/rules_161129
Adjust scores and add new rules
-rw-r--r-- | conf/modules.d/multimap.conf | 237 | ||||
-rw-r--r-- | rules/mid.lua | 2 | ||||
-rw-r--r-- | rules/misc.lua | 22 | ||||
-rw-r--r-- | rules/regexp/compromised_hosts.lua | 4 | ||||
-rw-r--r-- | rules/regexp/headers.lua | 12 |
5 files changed, 152 insertions, 125 deletions
diff --git a/conf/modules.d/multimap.conf b/conf/modules.d/multimap.conf index 04f581883..6f07c117e 100644 --- a/conf/modules.d/multimap.conf +++ b/conf/modules.d/multimap.conf @@ -14,6 +14,124 @@ # See https://rspamd.com/doc/tutorials/writing_rules.html for details multimap { + # Freemail Addresses + freemail_envfrom { + type = "from"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_ENVFROM"; + description = "Envelope From is a Freemail address"; + score = 0.0; + } + + freemail_envrcpt { + type = "rcpt"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_ENVRCPT"; + description = "Envelope Recipient is a Freemail address"; + score = 0.0; + } + + freemail_from { + type = "header"; + header = "from"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_FROM"; + description = "From is a Freemail address"; + score = 0.0; + } + + freemail_to { + type = "header"; + header = "To"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_TO"; + description = "To is a Freemail address"; + score = 0.0; + } + + freemail_cc { + type = "header"; + header = "Cc"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_CC"; + description = "To is a Freemail address"; + score = 0.0; + } + + freemail_replyto { + type = "header"; + header = "Reply-To"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/free.txt.zst"; + symbol = "FREEMAIL_REPLYTO"; + description = "Reply-To is a Freemail address"; + score = 0.0; + } + + # Disposable Addresses + disposable_envfrom { + type = "from"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_ENVFROM"; + description = "Envelope From is a Disposable e-mail address"; + score = 0.0; + } + + disposable_envrcpt { + type = "rcpt"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_ENVRCPT"; + description = "Envelope Recipient is a Disposable e-mail address"; + score = 0.0; + } + + disposable_from { + type = "header"; + header = "from"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_FROM"; + description = "From a Disposable e-mail address"; + score = 0.0; + } + + disposable_to { + type = "header"; + header = "To"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_TO"; + description = "To a disposable e-mail address"; + score = 0.0; + } + + disposable_cc { + type = "header"; + header = "Cc"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_CC"; + description = "To a disposable e-mail address"; + score = 0.0; + } + + disposable_replyto { + type = "header"; + header = "Reply-To"; + filter = "email:domain"; + map = "https://rspamd.com/freemail/disposable.txt.zst"; + symbol = "DISPOSABLE_REPLYTO"; + description = "Reply-To a disposable e-mail address"; + score = 0.0; + } + .include(try=true,priority=5) "${DBDIR}/dynamic/multimap.conf" .include(try=true,priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/multimap.conf" .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/multimap.conf" @@ -48,122 +166,3 @@ url_tld_re { } */ -# Freemail Addresses - -freemail_envfrom { - type = "from"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_ENVFROM"; - description = "Envelope From is a Freemail address"; - score = 0.0; -} - -freemail_envrcpt { - type = "rcpt"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_ENVRCPT"; - description = "Envelope Recipient is a Freemail address"; - score = 0.0; -} - -freemail_from { - type = "header"; - header = "from"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_FROM"; - description = "From is a Freemail address"; - score = 0.0; -} - -freemail_to { - type = "header"; - header = "To"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_TO"; - description = "To is a Freemail address"; - score = 0.0; -} - -freemail_cc { - type = "header"; - header = "Cc"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_CC"; - description = "To is a Freemail address"; - score = 0.0; -} - -freemail_replyto { - type = "header"; - header = "Reply-To"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/free.txt.zst"; - symbol = "FREEMAIL_REPLYTO"; - description = "Reply-To is a Freemail address"; - score = 0.0; -} - -# Disposable Addresses - -disposable_envfrom { - type = "from"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_ENVFROM"; - description = "Envelope From is a Disposable e-mail address"; - score = 0.0; -} - -disposable_envrcpt { - type = "rcpt"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_ENVRCPT"; - description = "Envelope Recipient is a Disposable e-mail address"; - score = 0.0; -} - -disposable_from { - type = "header"; - header = "from"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_FROM"; - description = "From a Disposable e-mail address"; - score = 0.0; -} - -disposable_to { - type = "header"; - header = "To"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_TO"; - description = "To a disposable e-mail address"; - score = 0.0; -} - -disposable_cc { - type = "header"; - header = "Cc"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_CC"; - description = "To a disposable e-mail address"; - score = 0.0; -} - -disposable_replyto { - type = "header"; - header = "Reply-To"; - filter = "email:domain"; - map = "https://rspamd.com/freemail/disposable.txt.zst"; - symbol = "DISPOSABLE_REPLYTO"; - description = "Reply-To a disposable e-mail address"; - score = 0.0; -} diff --git a/rules/mid.lua b/rules/mid.lua index 6037ccf12..08ccaf04a 100644 --- a/rules/mid.lua +++ b/rules/mid.lua @@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id) rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID') rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id) -rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')
\ No newline at end of file +rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') diff --git a/rules/misc.lua b/rules/misc.lua index f7b63d3c8..1b1aee1af 100644 --- a/rules/misc.lua +++ b/rules/misc.lua @@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = { score = 0.0 } +-- Requires freemail maps loaded in multimap +local function freemail_reply_neq_from(task) + local frt = task:get_symbol('FREEMAIL_REPLYTO') + local ff = task:get_symbol('FREEMAIL_FROM') + if (frt and ff and frt['options'] and ff['options'] and + frt['options'][1] ~= ff['options'][1]) + then + return true + end + return false +end + +local freemail_reply_neq_from_id = rspamd_config:register_symbol({ + name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM', + type = 'callback', + callback = freemail_reply_neq_from, + description = 'Freemail From and Reply-To, but to different Freemail services', + score = 3.0 +}) +rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO') +rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM') + diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua index 8d224b315..2444b5cb0 100644 --- a/rules/regexp/compromised_hosts.lua +++ b/rules/regexp/compromised_hosts.lua @@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = { reconf['PHP_SCRIPT_ROOT'] = { re = "X-PHP-Originating-Script=/^0:/Hi", description = "PHP Script executed by root UID", - score = 2.0, + score = 1.0, group = "compromised_hosts" } @@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = { reconf['WP_COMPROMISED'] = { re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui', description = "URL that is pointing to a compromised WordPress installation", - score = 5.0, group = "compromised_hosts" } reconf['PHP_XPS_PATTERN'] = { re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi', description = "Message contains X-PHP-Script pattern", - score = 5.0, group = "compromised_hosts" } diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index d05874809..143171ae2 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -821,7 +821,7 @@ reconf['HAS_INTERSPIRE_SIG'] = { 'header_exists(X-Mailer-Sent-By)', 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'), description = "Has Interspire fingerprint", - score = 3.0, + score = 1.0, group = 'header' } @@ -835,7 +835,7 @@ reconf['CT_EXTRA_SEMI'] = { reconf['SUBJECT_ENDS_EXCLAIM'] = { re = 'Subject=/!\\s*$/H', description = 'Subject ends with an exclaimation', - score = 1.0, + score = 0.0, group = 'headers' } @@ -880,3 +880,11 @@ reconf['HAS_ORG_HEADER'] = { score = 0.0, group = 'headers' } + +reconf['X_PHPOS_FAKE'] = { + re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi', + description = 'Fake X-PHP-Originating-Script header', + score = 3.0, + group = 'headers' +} + |