diff options
-rw-r--r-- | conf/lua/regexp/headers.lua | 34 | ||||
-rw-r--r-- | rspamd.xml.sample | 28 |
2 files changed, 59 insertions, 3 deletions
diff --git a/conf/lua/regexp/headers.lua b/conf/lua/regexp/headers.lua index 66dd912de..e68067d5b 100644 --- a/conf/lua/regexp/headers.lua +++ b/conf/lua/regexp/headers.lua @@ -30,7 +30,7 @@ local r_body_8bit = '/[^\\x01-\\x7f]/Pr' reconf['R_BAD_CTE_7BIT'] = string.format('(%s) & (%s) & (%s)', r_ctype_text, r_cte_7bit, r_body_8bit) -- Detects missing To header -reconf['MISSING_TO']= '!header_exists(To)'; +reconf['MISSING_TO']= '!raw_header_exists(To)'; -- Detects undisclosed recipients local undisc_rcpt = 'To=/^<?undisclosed[- ]recipient/Hi' @@ -179,6 +179,17 @@ reconf['FORGED_OUTLOOK_TAGS'] = string.format('!%s & %s & %s & !(%s & %s & %s & yahoo_bulk, any_outlook_mua, mime_html, tag_exists_html, tag_exists_head, tag_exists_meta, tag_exists_body) +-- Forged OE/MSO boundary +reconf['SUSPICIOUS_BOUNDARY'] = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}"[\\r\\n]*$/siX' +-- Forged OE/MSO boundary +reconf['SUSPICIOUS_BOUNDARY2'] = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}"[\\r\\n]*$/siX' +-- Forged OE/MSO boundary +reconf['SUSPICIOUS_BOUNDARY3'] = 'Content-Type=/^\\s*multipart.+boundary="-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}"[\\r\\n]*$/siX' +-- Forged OE/MSO boundary +local suspicious_boundary_01C4 = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX' +local suspicious_boundary_01C4_date = 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/' +reconf['SUSPICIOUS_BOUNDARY4'] = string.format('(%s) & (%s)', suspicious_boundary_01C4, suspicious_boundary_01C4_date) + -- Detect forged The Bat! headers -- The Bat! X-Mailer header local thebat_mua_any = 'X-Mailer=/^\\s*The Bat!/H' @@ -191,6 +202,27 @@ reconf['FORGED_MUA_THEBAT_MSGID'] = string.format('(%s) & !(%s) & (%s) & !(%s)', -- Summary rule for forged The Bat! Message-ID header with unknown template reconf['FORGED_MUA_THEBAT_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', thebat_mua_any, thebat_msgid, thebat_msgid_common, unusable_msgid) + +-- Detect forged Mozilla Mail/Thunderbird/Seamonkey headers +-- Mozilla based X-Mailer +local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/' +local user_agent_thunderbird = 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*Thunderbird\\/)/' +local user_agent_seamonkey = 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/' +local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird, user_agent_seamonkey) +-- Mozilla based common Message-ID template +local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/X' +local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F])[\\dA-F]{6}\\.(\\d0){0,3}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/XS' +-- Summary rule for forged Mozilla Mail Message-ID header +reconf['FORGED_MUA_MOZILLA_MAIL_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid) +reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid) +-- Summary rule for forged Thunderbird Message-ID header +reconf['FORGED_MUA_THUNDERBIRD_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid) +reconf['FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid) +-- Summary rule for forged Seamonkey Message-ID header +reconf['FORGED_MUA_SEAMONKEY_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid) +reconf['FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid) + + -- Message id validity local sane_msgid = 'Message-Id=/^[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\s*$/mH' local msgid_comment = 'Message-Id=/\\(.*\\)/mH' diff --git a/rspamd.xml.sample b/rspamd.xml.sample index f8e30277e..8464a080a 100644 --- a/rspamd.xml.sample +++ b/rspamd.xml.sample @@ -2,7 +2,7 @@ <rspamd> <!-- Main section --> <tempdir>/tmp</tempdir> -<pidfile>/var/run/rspamd.pid</pidfile> +<pidfile>/var/run/rspamd/rspamd.pid</pidfile> <filters>regexp,surbl,chartable,fuzzy_check,spf</filters> <statfile_pool_size>262144000</statfile_pool_size> <raw_mode>yes</raw_mode> @@ -69,10 +69,34 @@ <symbol weight="3.00" description="Forged outlook MUA">FORGED_MUA_OUTLOOK</symbol> <!-- Forged outlook MUA, but from maillist --> <symbol weight="0.00" description="Forged outlook MUA, but from maillist">FORGED_MUA_OUTLOOK_MAILLIST</symbol> + + <!-- Suspicious boundary in header Content-Type --> + <symbol weight="5.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY</symbol> + <!-- Suspicious boundary in header Content-Type --> + <symbol weight="4.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY2</symbol> + <!-- Suspicious boundary in header Content-Type --> + <symbol weight="3.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY3</symbol> + <!-- Suspicious boundary in header Content-Type --> + <symbol weight="4.00" description="Suspicious boundary in header Content-Type">SUSPICIOUS_BOUNDARY4</symbol> + <!-- Message pretends to be send from The Bat! but has forged Message-ID --> <symbol weight="4.00" description="Message pretends to be send from The Bat! but has forged Message-ID">FORGED_MUA_THEBAT_MSGID</symbol> <!-- Message pretends to be send from The Bat! but has forged Message-ID --> <symbol weight="3.00" description="Message pretends to be send from The Bat! but has forged Message-ID">FORGED_MUA_THEBAT_MSGID_UNKNOWN</symbol> + + <!-- Message pretends to be send from Mozilla Mail but has forged Message-ID --> + <symbol weight="3.50" description="Message pretends to be send from Mozilla Mail but has forged Message-ID">FORGED_MUA_MOZILLA_MAIL_MSGID</symbol> + <!-- Message pretends to be send from Mozilla Mail but has forged Message-ID --> + <symbol weight="2.50" description="Message pretends to be send from Mozilla Mail but has forged Message-ID">FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN</symbol> + <!-- Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID --> + <symbol weight="3.50" description="Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID">FORGED_MUA_THUNDERBIRD_MSGID</symbol> + <!-- Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID --> + <symbol weight="2.50" description="Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID">FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN</symbol> + <!-- Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID --> + <symbol weight="3.50" description="Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID">FORGED_MUA_SEAMONKEY_MSGID</symbol> + <!-- Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID --> + <symbol weight="2.50" description="Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID">FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN</symbol> + <!-- Fake helo for verizon provider --> <symbol weight="2.00" description="Fake helo for verizon provider">FM_FAKE_HELO_VERIZON</symbol> <!--Quoted reply-to from yahoo (seems to be forged) --> @@ -112,7 +136,7 @@ <!-- Spam string at the end of message to make statistics faults 0--> <symbol weight="3.84" description="Spam string at the end of message to make statistics faults 0">TRACKER_ID</symbol> <!-- No space in from header --> - <symbol weight="3.00" description="No space in from header">R_NO_SPACE_IN_FROM</symbol> + <symbol weight="1.00" description="No space in from header">R_NO_SPACE_IN_FROM</symbol> <!-- Subject seems to be spam --> <symbol weight="8.00" description="Subject seems to be spam">R_SAJDING</symbol> <!-- Detects bad content-transfer-encoding for text parts --> |