summaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2016-11-29 18:14:14 +0000
committerGitHub <noreply@github.com>2016-11-29 18:14:14 +0000
commit885333db66718904c890207093c986ad4efc0689 (patch)
treef007e6c5837ce4e6d9f5617cb75ef19a82ee1940 /rules
parentee81d64e6f30d3f91913019b79d12326052ce9ed (diff)
parent75f75b81d35d7fea6747cba466bdac0bd063e153 (diff)
downloadrspamd-885333db66718904c890207093c986ad4efc0689.tar.gz
rspamd-885333db66718904c890207093c986ad4efc0689.zip
Merge pull request #1205 from smfreegard/rules_161129
Adjust scores and add new rules
Diffstat (limited to 'rules')
-rw-r--r--rules/mid.lua2
-rw-r--r--rules/misc.lua22
-rw-r--r--rules/regexp/compromised_hosts.lua4
-rw-r--r--rules/regexp/headers.lua12
4 files changed, 34 insertions, 6 deletions
diff --git a/rules/mid.lua b/rules/mid.lua
index 6037ccf12..08ccaf04a 100644
--- a/rules/mid.lua
+++ b/rules/mid.lua
@@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an
rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id)
rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID')
rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id)
-rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') \ No newline at end of file
+rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')
diff --git a/rules/misc.lua b/rules/misc.lua
index f7b63d3c8..1b1aee1af 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = {
score = 0.0
}
+-- Requires freemail maps loaded in multimap
+local function freemail_reply_neq_from(task)
+ local frt = task:get_symbol('FREEMAIL_REPLYTO')
+ local ff = task:get_symbol('FREEMAIL_FROM')
+ if (frt and ff and frt['options'] and ff['options'] and
+ frt['options'][1] ~= ff['options'][1])
+ then
+ return true
+ end
+ return false
+end
+
+local freemail_reply_neq_from_id = rspamd_config:register_symbol({
+ name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM',
+ type = 'callback',
+ callback = freemail_reply_neq_from,
+ description = 'Freemail From and Reply-To, but to different Freemail services',
+ score = 3.0
+})
+rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO')
+rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM')
+
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 8d224b315..2444b5cb0 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = {
reconf['PHP_SCRIPT_ROOT'] = {
re = "X-PHP-Originating-Script=/^0:/Hi",
description = "PHP Script executed by root UID",
- score = 2.0,
+ score = 1.0,
group = "compromised_hosts"
}
@@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = {
reconf['WP_COMPROMISED'] = {
re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',
description = "URL that is pointing to a compromised WordPress installation",
- score = 5.0,
group = "compromised_hosts"
}
reconf['PHP_XPS_PATTERN'] = {
re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',
description = "Message contains X-PHP-Script pattern",
- score = 5.0,
group = "compromised_hosts"
}
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index d05874809..143171ae2 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -821,7 +821,7 @@ reconf['HAS_INTERSPIRE_SIG'] = {
'header_exists(X-Mailer-Sent-By)',
'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
description = "Has Interspire fingerprint",
- score = 3.0,
+ score = 1.0,
group = 'header'
}
@@ -835,7 +835,7 @@ reconf['CT_EXTRA_SEMI'] = {
reconf['SUBJECT_ENDS_EXCLAIM'] = {
re = 'Subject=/!\\s*$/H',
description = 'Subject ends with an exclaimation',
- score = 1.0,
+ score = 0.0,
group = 'headers'
}
@@ -880,3 +880,11 @@ reconf['HAS_ORG_HEADER'] = {
score = 0.0,
group = 'headers'
}
+
+reconf['X_PHPOS_FAKE'] = {
+ re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi',
+ description = 'Fake X-PHP-Originating-Script header',
+ score = 3.0,
+ group = 'headers'
+}
+