aboutsummaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@rspamd.com>2024-07-25 13:21:44 +0100
committerVsevolod Stakhov <vsevolod@rspamd.com>2024-07-25 13:21:44 +0100
commitb553c0c29eb136d1bd33fce3cfc0265d7909fe0c (patch)
treee9093b87eeb2fb7b7ed874c260317276a3046fb6 /rules
parent5ccf9bc7fb353c2bf20f7eb44feb283d4720bbdd (diff)
downloadrspamd-b553c0c29eb136d1bd33fce3cfc0265d7909fe0c.tar.gz
rspamd-b553c0c29eb136d1bd33fce3cfc0265d7909fe0c.zip
[Conf] Increase scores for strange things in the archives
Diffstat (limited to 'rules')
-rw-r--r--rules/archives.lua38
1 files changed, 19 insertions, 19 deletions
diff --git a/rules/archives.lua b/rules/archives.lua
index 83ac27df8..c582b93bd 100644
--- a/rules/archives.lua
+++ b/rules/archives.lua
@@ -2,19 +2,19 @@ local rspamd_regexp = require "rspamd_regexp"
local lua_maps = require "lua_maps"
local clickbait_map = lua_maps.map_add_from_ucl(
- {
- string.format('%s/maps.d/%s', rspamd_paths.CONFDIR, 'exe_clickbait.inc'),
- string.format('%s/local.d/maps.d/%s', rspamd_paths.LOCAL_CONFDIR, 'exe_clickbait.inc')
- },
- 'regexp',
- 'Inappropriate descriptions for executables'
+ {
+ string.format('%s/maps.d/%s', rspamd_paths.CONFDIR, 'exe_clickbait.inc'),
+ string.format('%s/local.d/maps.d/%s', rspamd_paths.LOCAL_CONFDIR, 'exe_clickbait.inc')
+ },
+ 'regexp',
+ 'Inappropriate descriptions for executables'
)
local exe_re = rspamd_regexp.create_cached([[/\.exe$|\.com$/i]])
local img_re = rspamd_regexp.create_cached([[/\.img$/i]])
local rar_re = rspamd_regexp.create_cached([[/\.rar$|\.r[0-9]{2}$/i]])
-local id = rspamd_config:register_symbol{
+local id = rspamd_config:register_symbol {
callback = function(task)
local num_checked = 0
local have_subject_clickbait = false
@@ -52,7 +52,7 @@ local id = rspamd_config:register_symbol{
local name = info.name
if img_re:match(name) then
- local ratio = info.uncompressed_size/info.compressed_size
+ local ratio = info.uncompressed_size / info.compressed_size
if ratio >= 500 then
task:insert_result('UDF_COMPRESSION_500PLUS', 1.0)
end
@@ -86,7 +86,7 @@ local id = rspamd_config:register_symbol{
type = 'callback',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'exe file in archive with clickbait filename',
group = 'malware',
name = 'EXE_ARCHIVE_CLICKBAIT_FILENAME',
@@ -96,7 +96,7 @@ rspamd_config:register_symbol{
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'exe file in archive with clickbait subject',
group = 'malware',
name = 'EXE_ARCHIVE_CLICKBAIT_SUBJECT',
@@ -106,47 +106,47 @@ rspamd_config:register_symbol{
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'exe file in archive',
group = 'malware',
name = 'EXE_IN_ARCHIVE',
one_shot = true,
parent = id,
- score = 0.5,
+ score = 1.5,
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'rar with wrong extension containing exe file',
group = 'malware',
name = 'EXE_IN_MISIDENTIFIED_RAR',
one_shot = true,
parent = id,
- score = 2.0,
+ score = 5.0,
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'rar with wrong extension',
group = 'malware',
name = 'MISIDENTIFIED_RAR',
one_shot = true,
parent = id,
- score = 2.0,
+ score = 4.0,
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'single file container bearing executable',
group = 'malware',
name = 'SINGLE_FILE_ARCHIVE_WITH_EXE',
one_shot = true,
parent = id,
- score = 1.0,
+ score = 5.0,
type = 'virtual',
}
-rspamd_config:register_symbol{
+rspamd_config:register_symbol {
description = 'very well compressed img file in archive',
name = 'UDF_COMPRESSION_500PLUS',
one_shot = true,