diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-11-11 19:05:45 +0000 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-11-11 19:06:06 +0000 |
| commit | 48a84895679ea33d71b8b981e90374135a347a36 (patch) | |
| tree | 6deee1fe20c9bfb300573efbb2f29e8f9601bd5c /rules/regexp | |
| parent | 815104c21d171de0d370b00e38e54783a082ed08 (diff) | |
| download | rspamd-48a84895679ea33d71b8b981e90374135a347a36.tar.gz rspamd-48a84895679ea33d71b8b981e90374135a347a36.zip | |
[Fix] Cleanup mess with groups
Diffstat (limited to 'rules/regexp')
| -rw-r--r-- | rules/regexp/compromised_hosts.lua | 3 | ||||
| -rw-r--r-- | rules/regexp/misc.lua | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua index 2444b5cb0..f6427a7cd 100644 --- a/rules/regexp/compromised_hosts.lua +++ b/rules/regexp/compromised_hosts.lua @@ -93,12 +93,14 @@ reconf['X_PHP_EVAL'] = { reconf['HAS_WP_URI'] = { re = '/\\/wp-[^\\/]+\\//Ui', description = "Contains WordPress URIs", + one_shot = true, group = "compromised_hosts" } reconf['WP_COMPROMISED'] = { re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui', description = "URL that is pointing to a compromised WordPress installation", + one_shot = true, group = "compromised_hosts" } @@ -140,6 +142,7 @@ reconf['URI_HIDDEN_PATH'] = { re = "/\\/\\..+/U", description = "URL contains a UNIX hidden file/directory", score = 1.0, + one_shot = true, group = "compromised_hosts" } diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua index 1adfe98fd..f63526a8e 100644 --- a/rules/regexp/misc.lua +++ b/rules/regexp/misc.lua @@ -22,6 +22,7 @@ reconf['HTML_META_REFRESH_URL'] = { re = '/<meta\\s+http-equiv="refresh"\\s+content="\\d+\\s*;\\s*url=/{sa_raw_body}i', description = "Has HTML Meta refresh URL", score = 5.0, + one_shot = true, group = 'HTML' } @@ -29,7 +30,8 @@ reconf['HAS_DATA_URI'] = { -- Requires options { check_attachements = true; } re = '/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i', description = "Has Data URI encoding", - group = 'HTML' + group = 'HTML', + one_shot = true, } reconf['DATA_URI_OBFU'] = { @@ -37,6 +39,7 @@ reconf['DATA_URI_OBFU'] = { re = '/data:text\\/(?:plain|html);base64,/{sa_raw_body}i', description = "Uses Data URI encoding to obfuscate plain or HTML in base64", group = 'HTML', + one_shot = true, score = 2.0 } @@ -44,6 +47,7 @@ reconf['INTRODUCTION'] = { re = '/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i', description = "Sender introduces themselves", score = 2.0, + one_shot = true, group = 'scams' } |