Merge pull request #4310 from twesterhever/temp-add-ipfs-heuristics

[Enhancement] Add IPFS URL heuristic

1 files changed, 15 insertions, 0 deletions

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 0e660e358..66ba34996 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -100,3 +100,18 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = {
 }
 
 rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
+
+-- Heurististic for detecting InterPlanetary File System (IPFS) gateway URLs:
+-- These contain "ipfs" somewhere (either in the FQDN or the URL path) and a
+-- content identifier (CID), comprising of either "qm", followed by 44 alphanumerical
+-- characters (CIDv0), or a CIDv1 of an alphanumerical string of unspecified length,
+-- depending on the hash algorithm used, but starting with a multibase prefix.
+local ipfs_cid = '/(qm[a-z0-9]{44}|[079fvtbchkzmup][a-z0-9]{44,128})/{url}i'
+local ipfs_string = '/ipfs(\\.|-|_|\\/|\\?)/{url}i'
+reconf['HAS_IPFS_GATEWAY_URL'] = {
+  description = 'Message contains InterPlanetary File System (IPFS) gateway URL, likely malicious',
+  re = string.format('(%s & %s)', ipfs_cid, ipfs_string),
+  score = 6.0,
+  one_shot = true,
+  group = 'url',
+}