aboutsummaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authortwesterhever <40121680+twesterhever@users.noreply.github.com>2024-02-29 14:34:21 +0000
committertwesterhever <40121680+twesterhever@users.noreply.github.com>2024-02-29 14:34:21 +0000
commitc599cb599e4c8df12ade63211e6c307e05a70276 (patch)
tree20b3bbf6cf4b6713e18b2bff697985a6190c70e2 /rules
parent0689f0e7bd1f8aa8565c4a14db7d423cd43a147c (diff)
downloadrspamd-c599cb599e4c8df12ade63211e6c307e05a70276.tar.gz
rspamd-c599cb599e4c8df12ade63211e6c307e05a70276.zip
[Minor] Add HAS_FILE_URL rule for messages containing a file:// URL
These are frequently abused for distributing malware via non-HTTP protocols, such as public Samba servers. file:// URLs may also be abused for including files from the victims' machine in a message. Either way, a legitimate usecase is unlikely. Signed-off-by: twesterhever <40121680+twesterhever@users.noreply.github.com>
Diffstat (limited to 'rules')
-rw-r--r--rules/regexp/headers.lua7
1 files changed, 7 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 0624997aa..5f6a49437 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -938,6 +938,13 @@ reconf['HAS_GOOGLE_FIREBASE_URL'] = {
group = 'url'
}
+reconf['HAS_FILE_URL'] = {
+ re = '/^file:\\/\\//{url}i',
+ description = 'Contains file:// URL',
+ score = 2.0,
+ group = 'url'
+}
+
reconf['XM_UA_NO_VERSION'] = {
re = string.format('(!%s && !%s) && (%s || %s)',
'X-Mailer=/https?:/H',
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-05 11:24:38 +0000