summaryrefslogtreecommitdiffstats
path: root/rules/regexp
diff options
context:
space:
mode:
authorSteve Freegard <steve@stevefreegard.com>2016-11-21 12:55:14 +0000
committerSteve Freegard <steve@stevefreegard.com>2016-11-21 12:55:14 +0000
commit5c669479a0e0630f822929714332b615f11210a6 (patch)
tree80db15bb85dfc64df81c92b4369480eca9aafe2a /rules/regexp
parent919cbd477d499804b17c87656a435db6067ca31e (diff)
downloadrspamd-5c669479a0e0630f822929714332b615f11210a6.tar.gz
rspamd-5c669479a0e0630f822929714332b615f11210a6.zip
Rules updates
Diffstat (limited to 'rules/regexp')
-rw-r--r--rules/regexp/headers.lua91
-rw-r--r--rules/regexp/misc.lua39
2 files changed, 130 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index ef0adc6b1..e5bce8cea 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -255,6 +255,22 @@ reconf['CC_EXCESS_QP'] = {
group = 'excessqp'
}
+local subj_encoded_b64 = 'Subject=/\\=\\?\\S+\\?B\\?/iX'
+local subj_needs_mime = 'Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr'
+reconf['SUBJ_EXCESS_BASE64'] = {
+ re = string.format('%s & !%s', subj_encoded_b64, subj_needs_mime),
+ score = 1.5,
+ description = 'Subject is unnecessarily encoded in base64',
+ group = 'excessb64'
+}
+
+local subj_encoded_qp = 'Subject=/\\=\\?\\S+\\?Q\\?/iX'
+reconf['SUBJ_EXCESS_QP'] = {
+ re = string.format('%s & !%s', subj_encoded_qp, subj_needs_mime),
+ score = 1.2,
+ description = 'Subect is unnecessarily encoded in quoted-printable',
+ group = 'excessqp'
+}
-- Detect forged outlook headers
-- OE X-Mailer header
@@ -803,3 +819,78 @@ reconf['GOOGLE_FORWARDING_MID_BROKEN'] = {
description = "Message had invalid Message-ID pre-forwarding",
group = 'header'
}
+
+reconf['CTE_CASE'] = {
+ re = 'Content-Transfer-Encoding=/^[78]BsX',
+ description = '[78]Bit .vs. [78]bit',
+ score = 0.5,
+ group = header'
+}
+
+reconf['HAS_INTERSPIRE_SIG'] = {
+ re = string.format('((%s) & (%s) & (%s) & (%s)) | (%s)',
+ 'header_exists(X-Mailer-LID)',
+ 'header_exists(X-Mailer-RecptId)',
+ 'header_exists(X-Mailer-SID)',
+ 'header_exists(X-Mailer-Sent-By)',
+ 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
+ description = "Has Interspire fingerprint",
+ score = 3.0,
+ group = 'header'
+}
+
+reconf['CT_EXTRA_SEMI'] = {
+ re = 'Content-Type=/;$/X',
+ description = 'Content-Type ends with a semi-colon',
+ score = 1.0,
+ group = 'header'
+}
+
+reconf['SUBJECT_ENDS_EXCLAIM'] = {
+ re = 'Subject=/!\\s*$/H',
+ description = 'Subject ends with an exclaimation',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_EXCLAIM'] = {
+ re = string.format('%s & !%s', 'Subject=/!/H', 'Subject=/!\\s*$/H'),
+ description = 'Subject contains an exclaimation',
+ score = 0.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_ENDS_QUESTION'] = {
+ re = 'Subject=/\\?\\s*$/H',
+ description = 'Subject ends with a question',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_QUESTION'] = {
+ re = string.format('%s & !%s', 'Subject=/\\?/H', 'Subject=/\\?\\s*$/H'),
+ description = 'Subject contains a question',
+ score = 0.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_HAS_CURRENCY'] = {
+ re = 'Subject=/$€$¢¥₽/H',
+ description = 'Subject contains currency',
+ score = 1.0,
+ group = 'headers'
+}
+
+reconf['SUBJECT_ENDS_SPACES'] = {
+ re = 'Subject=/\\s+$/H',
+ description = 'Subject ends with space characters',
+ score = 0.5,
+ group = 'headers'
+}
+
+reconf['HAS_ORG_HEADER'] = {
+ re = string.format('%s || %s', 'header_exists(Organization)', 'header_exists(Organisation)'),
+ description = 'Has Organization header',
+ score = 0.0,
+ group = 'headers'
+}
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
new file mode 100644
index 000000000..a819ec729
--- /dev/null
+++ b/rules/regexp/misc.lua
@@ -0,0 +1,39 @@
+--[[
+Copyright (c) 2011-2016, Vsevolod Stakhov <vsevolod@highsecure.ru>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+]]--
+
+
+local reconf = config['regexp']
+
+reconf['HTML_META_REFRESH_URL'] = {
+ -- Requires options { check_attachements = true; }
+ re = '/<meta\\s+http-equiv="refresh"\\s+content="\\d+;url=/{sa_raw_body}i',
+ description = "Has HTML Meta refresh URL",
+ score = 5.0
+}
+
+reconf['HAS_DATA_URI'] = {
+ -- Requires options { check_attachements = true; }
+ re = '/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i',
+ description = "Has Data URI encoding"
+}
+
+reconf['DATA_URI_OBFU'] = {
+ -- Requires options { check_attachements = true; }
+ re = '/data:text\\/(?:plain|html);base64,/{sa_raw_body}i',
+ description = "Uses Data URI encoding to obfuscate plain or HTML in base64",
+ score = 2.0
+}
+