diff options
| -rw-r--r-- | rules/regexp/misc.lua | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua index 0e660e358..66ba34996 100644 --- a/rules/regexp/misc.lua +++ b/rules/regexp/misc.lua @@ -100,3 +100,18 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = { } rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR') + +-- Heurististic for detecting InterPlanetary File System (IPFS) gateway URLs: +-- These contain "ipfs" somewhere (either in the FQDN or the URL path) and a +-- content identifier (CID), comprising of either "qm", followed by 44 alphanumerical +-- characters (CIDv0), or a CIDv1 of an alphanumerical string of unspecified length, +-- depending on the hash algorithm used, but starting with a multibase prefix. +local ipfs_cid = '/(qm[a-z0-9]{44}|[079fvtbchkzmup][a-z0-9]{44,128})/{url}i' +local ipfs_string = '/ipfs(\\.|-|_|\\/|\\?)/{url}i' +reconf['HAS_IPFS_GATEWAY_URL'] = { + description = 'Message contains InterPlanetary File System (IPFS) gateway URL, likely malicious', + re = string.format('(%s & %s)', ipfs_cid, ipfs_string), + score = 6.0, + one_shot = true, + group = 'url', +} |