aboutsummaryrefslogtreecommitdiffstats
path: root/rules/regexp/headers.lua
diff options
context:
space:
mode:
authorSteve Freegard <steve@stevefreegard.com>2016-11-21 12:55:14 +0000
committerSteve Freegard <steve@stevefreegard.com>2016-11-21 12:55:14 +0000
commit5c669479a0e0630f822929714332b615f11210a6 (patch)
tree80db15bb85dfc64df81c92b4369480eca9aafe2a /rules/regexp/headers.lua
parent919cbd477d499804b17c87656a435db6067ca31e (diff)
downloadrspamd-5c669479a0e0630f822929714332b615f11210a6.tar.gz
rspamd-5c669479a0e0630f822929714332b615f11210a6.zip
Rules updates
Diffstat (limited to 'rules/regexp/headers.lua')
-rw-r--r--rules/regexp/headers.lua91
1 files changed, 91 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index ef0adc6b1..e5bce8cea 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -255,6 +255,22 @@ reconf['CC_EXCESS_QP'] = {
group = 'excessqp'
}
+local subj_encoded_b64 = 'Subject=/\\=\\?\\S+\\?B\\?/iX'
+local subj_needs_mime = 'Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr'
+reconf['SUBJ_EXCESS_BASE64'] = {
+ re = string.format('%s & !%s', subj_encoded_b64, subj_needs_mime),
+ score = 1.5,
+ description = 'Subject is unnecessarily encoded in base64',
+ group = 'excessb64'
+}
+
+local subj_encoded_qp = 'Subject=/\\=\\?\\S+\\?Q\\?/iX'
+reconf['SUBJ_EXCESS_QP'] = {
+ re = string.format('%s & !%s', subj_encoded_qp, subj_needs_mime),
+ score = 1.2,
+ description = 'Subect is unnecessarily encoded in quoted-printable',
+ group = 'excessqp'
+}
-- Detect forged outlook headers
-- OE X-Mailer header
@@ -803,3 +819,78 @@ reconf['GOOGLE_FORWARDING_MID_BROKEN'] = {
description = "Message had invalid Message-ID pre-forwarding",
group = 'header'
}
+
+reconf['CTE_CASE'] = {
+ re = 'Content-Transfer-Encoding=/^[78]BsX',
+ description = '[78]Bit .vs. [78]bit',
+ score = 0.5,
+ group = header'
+}
+
+reconf['HAS_INTERSPIRE_SIG'] = {
+ re = string.format('((%s) & (%s) & (%s) & (%s)) | (%s)',
+ 'header_exists(X-Mailer-LID)',
+ 'header_exists(X-Mailer-RecptId)',
+ 'header_exists(X-Mailer-SID)',
+ 'header_exists(X-Mailer-Sent-By)',
+ 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
+ description = "Has Interspire fingerprint",
+ score = 3.0,
+ group = 'header'
+}
+
+reconf['CT_EXTRA_SEMI'] = {
+ re = 'Content-Type=/;$/X',
+ description = 'Content-Type ends with a semi-colon',
+ score = 1.0,
+ group = 'header'
+}
+
+reconf['SUBJECT_ENDS_EXCLAIM'] = {
+ re = 'Subject=/!\\s*$/H',
+ description = 'Subject ends with an exclaimation',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_EXCLAIM'] = {
+ re = string.format('%s & !%s', 'Subject=/!/H', 'Subject=/!\\s*$/H'),
+ description = 'Subject contains an exclaimation',
+ score = 0.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_ENDS_QUESTION'] = {
+ re = 'Subject=/\\?\\s*$/H',
+ description = 'Subject ends with a question',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_QUESTION'] = {
+ re = string.format('%s & !%s', 'Subject=/\\?/H', 'Subject=/\\?\\s*$/H'),
+ description = 'Subject contains a question',
+ score = 0.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_CURRENCY'] = {
+ re = 'Subject=/$€$¢¥₽/H',
+ description = 'Subject contains currency',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_ENDS_SPACES'] = {
+ re = 'Subject=/\\s+$/H',
+ description = 'Subject ends with space characters',
+ score = 0.5,
+ group = 'headers'
+}
+
+reconf['HAS_ORG_HEADER'] = {
+ re = string.format('%s || %s', 'header_exists(Organization)', 'header_exists(Organisation)'),
+ description = 'Has Organization header',
+ score = 0.0,
+ group = 'headers'
+}