aboutsummaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2017-03-24 11:27:26 +0000
committerGitHub <noreply@github.com>2017-03-24 11:27:26 +0000
commit573b224dc056371c0fbead54eb92101b81737a11 (patch)
treea44b6b9df1a08236097905f5297006b0d7d3b7ba /rules
parent7bcbbce36aa57fae1c7417db542155d1e137892f (diff)
parent1f0efdff27b2d58a04ba51c047785da309012cbf (diff)
downloadrspamd-573b224dc056371c0fbead54eb92101b81737a11.tar.gz
rspamd-573b224dc056371c0fbead54eb92101b81737a11.zip
Merge pull request #1554 from smfreegard/rules_170323
New rules
Diffstat (limited to 'rules')
-rw-r--r--rules/misc.lua48
-rw-r--r--rules/regexp/headers.lua14
-rw-r--r--rules/regexp/misc.lua7
3 files changed, 58 insertions, 11 deletions
diff --git a/rules/misc.lua b/rules/misc.lua
index 21b236fda..63c52eb4f 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -400,7 +400,8 @@ rspamd_config:register_symbol{
score = 0,
}
-rspamd_config.SPOOF_DISPLAY_NAME = {
+local check_from_display_name = rspamd_config:register_symbol{
+ name = 'CHECK_FROM_SPOOF',
callback = function (task)
local from = task:get_from(2)
if not (from and from[1] and from[1].name) then return false end
@@ -408,22 +409,40 @@ rspamd_config.SPOOF_DISPLAY_NAME = {
local parsed = util.parse_mail_address(from[1].name)
if not parsed then return false end
if not (parsed[1] and parsed[1]['addr']) then return false end
+ if parsed[1]['domain'] == nil or parsed[1]['domain'] == '' then return false end
-- See if the parsed domains differ
if not util.strequal_caseless(from[1]['domain'], parsed[1]['domain']) then
-- See if the destination domain is the same as the spoof
local to = task:get_recipients(2)
- -- Be careful with undisclosed-recipients:; as domain will be an empty string
- if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then
+ if not (to and to[1] and to[1]['domain']) then
+ -- Be careful with undisclosed-recipients:; as domain will be an empty string
+ if to[1]['domain'] == nil or to[1]['domain'] == '' then return false end
+ task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
return false
end
if util.strequal_caseless(to[1]['domain'], parsed[1]['domain']) then
- return true,from[1]['domain'],parsed[1]['domain']
+ task:insert_result('SPOOF_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
+ return false
end
end
return false
end,
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ parent = check_from_display_name,
+ name = 'SPOOF_DISPLAY_NAME',
description = 'Display name is being used to spoof and trick the recipient',
- score = 8.0
+ score = 8,
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ parent = check_from_display_name,
+ name = 'FROM_NEQ_DISPLAY_NAME',
+ description = 'Display name contains an email address different to the From address',
+ score = 4,
}
rspamd_config.SPOOF_REPLYTO = {
@@ -431,15 +450,22 @@ rspamd_config.SPOOF_REPLYTO = {
-- First check for a Reply-To header
local rt = task:get_header('Reply-To')
if not rt then return false end
- -- Get From header domain
- local fromdom = ((task:get_from(2) or E)[1] or E).domain
- if not fromdom then return false end
+ -- Get From and To headers
+ local from = task:get_from(2)
+ local to = task:get_recipients(2)
+ if not (from and from[1] and from[1].addr) then return false end
+ if (to and to[1] and to[1].addr) then
+ -- Handle common case for Web Contact forms of From = To
+ if util.strequal_caseless(from[1].addr, to[1].addr) then
+ return false
+ end
+ end
-- SMTP recipients must contain From domain
local to = task:get_recipients(1)
if not to then return false end
local found_fromdom = false
for _, t in ipairs(to) do
- if util.strequal_caseless(t.domain, fromdom) then
+ if util.strequal_caseless(t.domain, from[1].domain) then
found_fromdom = true
break
end
@@ -449,8 +475,8 @@ rspamd_config.SPOOF_REPLYTO = {
local parsed = ((util.parse_mail_address(rt) or E)[1] or E).domain
if not parsed then return false end
-- Reply-To domain must be different to From domain
- if not util.strequal_caseless(parsed, fromdom) then
- return true, fromdom, parsed
+ if not util.strequal_caseless(parsed, from[1].domain) then
+ return true, from[1].domain, parsed
end
return false
end,
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index f58feeaf8..c14dd3500 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -899,3 +899,17 @@ reconf['X_PHPOS_FAKE'] = {
group = 'headers'
}
+reconf['HAS_XOIP'] = {
+ re = "header_exists('X-Originating-IP')",
+ description = "Has X-Originating-IP header",
+ score = 0.0,
+ group = 'headers'
+}
+
+reconf['RCVD_VIA_SMTP_AUTH'] = {
+ re = "Received=/\\bE?SMTPS?A\\b/ || Received=/\\bauthenticated\\b/i",
+ description = "Recieved using SMTP AUTH",
+ score = 0,
+ group = 'headers'
+}
+
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 2fc194965..2da59ef7f 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -40,3 +40,10 @@ reconf['DATA_URI_OBFU'] = {
score = 2.0
}
+reconf['INTRODUCTION'] = {
+ re = '/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i',
+ description = "Sender introduces themselves",
+ score = 2.0,
+ group = 'scams'
+}
+