summaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2019-01-15 12:50:43 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2019-01-15 12:50:43 +0000
commit22a0948a357a7cc7dc9fd393eac686b743791626 (patch)
treeede3eab8a504b3d28201b3ab79a66197a5367bc9 /rules
parent48db96cdcb93d2495dc3b550056aa9bdfbbd0a60 (diff)
downloadrspamd-22a0948a357a7cc7dc9fd393eac686b743791626.tar.gz
rspamd-22a0948a357a7cc7dc9fd393eac686b743791626.zip
[Rules] LEAKED_PASSWORD_SCAM: Improve images scam detection
Diffstat (limited to 'rules')
-rw-r--r--rules/regexp/misc.lua19
1 files changed, 18 insertions, 1 deletions
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 9d5f2dd2b..56e63cd7b 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -67,9 +67,26 @@ local wallet_word = [[/^wallet$/i{words}]]
local broken_unicode = [[has_flag(bad_unicode)]]
reconf['LEAKED_PASSWORD_SCAM'] = {
- re = string.format('%s & (%s | %s | %s)',
+ re = string.format('%s & (%s | %s | %s | lua:check_data_images)',
btc_wallet_address, password_in_words, wallet_word, broken_unicode),
description = 'Contains password word and BTC wallet address',
+ functions = {
+ check_data_images = function(task)
+ local tp = task:get_text_parts() or {}
+
+ for _,p in ipairs(tp) do
+ if p:is_html() then
+ local hc = p:get_html()
+
+ if hc and hc:has_property('data_urls') then
+ return true
+ end
+ end
+ end
+
+ return false
+ end
+ },
score = 7.0,
group = 'scams'
} \ No newline at end of file