[Feature] Add new symbols to filter bad extensions in messages

* MIME_ENCRYPTED_ARCHIVE - encrypted archive has been found
* MIME_ARCHIVE_IN_ARCHIVE - archive is enclosed within another archive
* MIME_DOUBLE_BAD_EXTENSION - double extension to hide something
* MIME_BAD_EXTENSION - bad extension in attachement or archive

1 files changed, 18 insertions, 0 deletions

diff --git a/conf/metrics.conf b/conf/metrics.conf
index 03dc0f489..8ce02c8f4 100644
--- a/conf/metrics.conf
+++ b/conf/metrics.conf
@@ -1023,6 +1023,24 @@ metric {
             description = "Invalid attachement mime type";
             one_shot = true;
         }
+        symbol "MIME_ENCRYPTED_ARCHIVE" {
+            weight = 2.0;
+            description = "Encrypted archive in a message";
+            one_shot = true;
+        }
+        symbol "MIME_ARCHIVE_IN_ARCHIVE" {
+            weight = 5.0;
+            description = "Archive within another archive";
+            one_shot = true;
+        }
+        symbol "MIME_DOUBLE_BAD_EXTENSION" {
+            weight = 3.0; # This rule has dynamic weight up to 4.0
+            description = "Bad extension cloaking";
+        }
+        symbol "MIME_BAD_EXTENSION" {
+            weight = 2.0; # This rule has dynamic weight up to 4.0
+            description = "Bad extension";
+        }
     }
     group "url" {
         symbol "R_SUSPICIOUS_URL" {