aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--rules/regexp/headers.lua118
1 files changed, 72 insertions, 46 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index a11ab85a2..b4884b575 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -146,7 +146,7 @@ reconf['R_RCVD_SPAMBOTS'] = {
-- Charset is missing in message
reconf['R_MISSING_CHARSET'] = {
re = string.format('!is_empty_body() & content_type_is_type(text) & content_type_is_subtype(plain) & !content_type_has_param(charset) & !%s',
- 'compare_transfer_encoding(7bit)'),
+ 'compare_transfer_encoding(7bit)'),
score = 0.5,
description = 'Charset is missing in a message',
group = 'headers',
@@ -318,7 +318,8 @@ local sympatico_msgid = 'Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.
local mailman_msgid = [[Message-ID=/^<mailman\.\d+\.\d+\.\d+\.[-+.:=\w]+@[-a-zA-Z\d.]+>$/H]]
-- Message id seems to be forged
local unusable_msgid = string.format('(%s | %s | %s | %s | %s | %s)',
- lyris_ezml_remailer, wacky_sendmail_version, iplanet_messaging_server, hotmail_baydav_msgid, sympatico_msgid, mailman_msgid)
+ lyris_ezml_remailer, wacky_sendmail_version,
+ iplanet_messaging_server, hotmail_baydav_msgid, sympatico_msgid, mailman_msgid)
-- Outlook express data seems to be forged
local forged_oe = string.format('(%s & !%s & !%s & !%s)', oe_mua, oe_msgid_1, oe_msgid_2, unusable_msgid)
-- Outlook specific headers
@@ -328,7 +329,7 @@ local vista_msgid = 'Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H'
local ims_msgid = 'Message-Id=/^<?[A-F\\d]{36,40}\\@\\S+>?$/H'
-- Forged outlook headers
local forged_outlook_dollars = string.format('(%s & !%s & !%s & !%s & !%s & !%s)',
- outlook_dollars_mua, oe_msgid_2, outlook_dollars_other, vista_msgid, ims_msgid, unusable_msgid)
+ outlook_dollars_mua, oe_msgid_2, outlook_dollars_other, vista_msgid, ims_msgid, unusable_msgid)
-- Outlook versions that should be excluded from summary rule
local fmo_excl_o3416 = 'X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H'
local fmo_excl_oe3790 = 'X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H'
@@ -589,18 +590,18 @@ reconf['YANDEX_RU_MAILER'] = {
-- Detect 1C v8.2 and v8.3 mailers
reconf['MAILER_1C_8'] = {
- re = 'X-Mailer=/^1C:Enterprise 8\\.[23]$/H',
- score = 0.0,
- description = 'Sent with 1C:Enterprise 8',
- group = 'headers'
+ re = 'X-Mailer=/^1C:Enterprise 8\\.[23]$/H',
+ score = 0.0,
+ description = 'Sent with 1C:Enterprise 8',
+ group = 'headers'
}
-- Detect rogue 'strongmail' MTA with IPv4 and '(-)' in Received line
reconf['STRONGMAIL'] = {
- re = [[Received=/^from\s+strongmail\s+\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\) by \S+ \(-\); /mH]],
- score = 6.0,
- description = 'Sent via rogue "strongmail" MTA',
- group = 'headers'
+ re = [[Received=/^from\s+strongmail\s+\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\) by \S+ \(-\); /mH]],
+ score = 6.0,
+ description = 'Sent via rogue "strongmail" MTA',
+ group = 'headers'
}
-- Two received headers with ip addresses
@@ -653,10 +654,10 @@ local yandex_received = 'Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/m
local yandex = string.format('(%s) & ((%s) | (%s) | (%s))', yandex_received, yandex_from, yandex_x_envelope_from, yandex_return_path)
-- Tabs as delimiters between header names and header values
function check_header_delimiter_tab(task, header_name)
- for _,rh in ipairs(task:get_header_full(header_name)) do
- if rh['tab_separated'] then return true end
- end
- return false
+ for _,rh in ipairs(task:get_header_full(header_name)) do
+ if rh['tab_separated'] then return true end
+ end
+ return false
end
reconf['HEADER_FROM_DELIMITER_TAB'] = {
re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(From)', yandex),
@@ -689,41 +690,58 @@ reconf['HEADER_DATE_DELIMITER_TAB'] = {
group = 'headers'
}
-- Empty delimiters between header names and header values
-function check_header_delimiter_empty(task, header_name)
- for _,rh in ipairs(task:get_header_full(header_name)) do
- if rh['empty_separator'] then return true end
- end
- return false
+local function gen_check_header_delimiter_empty(header_name)
+ return function(task)
+ for _,rh in ipairs(task:get_header_full(header_name)) do
+ if rh['empty_separator'] then return true end
+ end
+ return false
+ end
end
reconf['HEADER_FROM_EMPTY_DELIMITER'] = {
- re = string.format('(%s)', 'check_header_delimiter_empty(From)'),
+ re = string.format('(%s)', 'lua:check_from_delim_empty'),
score = 1.0,
description = 'Header From has no delimiter between header name and header value',
- group = 'headers'
+ group = 'headers',
+ functions = {
+ check_from_delim_empty = gen_check_header_delimiter_empty('From')
+ }
}
reconf['HEADER_TO_EMPTY_DELIMITER'] = {
- re = string.format('(%s)', 'check_header_delimiter_empty(To)'),
+ re = string.format('(%s)', 'lua:check_to_delim_empty'),
score = 1.0,
description = 'Header To has no delimiter between header name and header value',
- group = 'headers'
+ group = 'headers',
+ functions = {
+ check_to_delim_empty = gen_check_header_delimiter_empty('To')
+ }
}
reconf['HEADER_CC_EMPTY_DELIMITER'] = {
- re = string.format('(%s)', 'check_header_delimiter_empty(Cc)'),
+ re = string.format('(%s)', 'lua:check_cc_delim_empty'),
score = 1.0,
description = 'Header Cc has no delimiter between header name and header value',
- group = 'headers'
+ group = 'headers',
+ functions = {
+ check_cc_delim_empty = gen_check_header_delimiter_empty('Cc')
+ }
}
reconf['HEADER_REPLYTO_EMPTY_DELIMITER'] = {
- re = string.format('(%s)', 'check_header_delimiter_empty(Reply-To)'),
+ re = string.format('(%s)', 'lua:check_repto_delim_empty'),
score = 1.0,
description = 'Header Reply-To has no delimiter between header name and header value',
- group = 'headers'
+ group = 'headers',
+ functions = {
+ check_repto_delim_empty = gen_check_header_delimiter_empty('Reply-To')
+ }
}
reconf['HEADER_DATE_EMPTY_DELIMITER'] = {
- re = string.format('(%s)', 'check_header_delimiter_empty(Date)'),
+ re = string.format('(%s)', 'lua:check_date_delim_empty'),
score = 1.0,
description = 'Header Date has no delimiter between header name and header value',
- group = 'headers'
+ group = 'headers',
+ functions = {
+ check_date_delim_empty = gen_check_header_delimiter_empty('Date')
+ }
}
-- Definitions of received headers regexp
@@ -740,7 +758,8 @@ local MAIL_RU_From = 'From=/\\@mail\\.ru>?$/iX'
local MAIL_RU_Received = 'Received=/from mail\\.ru \\(/mH'
reconf['FAKE_RECEIVED_mail_ru'] = {
- re = string.format('(%s) & !(((%s) | (%s)) & (%s))', MAIL_RU_Received, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, MAIL_RU_From),
+ re = string.format('(%s) & !(((%s) | (%s)) & (%s))',
+ MAIL_RU_Received, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, MAIL_RU_From),
score = 4.0,
description = 'Fake helo mail.ru in header Received from non mail.ru sender address',
group = 'headers'
@@ -765,7 +784,14 @@ local RECEIVED_smtp_yandex_ru_8 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.r
local RECEIVED_smtp_yandex_ru_9 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX'
reconf['FAKE_RECEIVED_smtp_yandex_ru'] = {
- re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s)))) & (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s)', MAIL_RU_From, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, GMAIL_COM_From, GMAIL_COM_Return_Path, GMAIL_COM_X_Envelope_From, UKR_NET_From, UKR_NET_Return_Path, UKR_NET_X_Envelope_From, RECEIVED_smtp_yandex_ru_1, RECEIVED_smtp_yandex_ru_2, RECEIVED_smtp_yandex_ru_3, RECEIVED_smtp_yandex_ru_4, RECEIVED_smtp_yandex_ru_5, RECEIVED_smtp_yandex_ru_6, RECEIVED_smtp_yandex_ru_7, RECEIVED_smtp_yandex_ru_8, RECEIVED_smtp_yandex_ru_9),
+ re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) '..
+ ' | ((%s) & ((%s) | (%s)))) & (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s)',
+ MAIL_RU_From, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, GMAIL_COM_From,
+ GMAIL_COM_Return_Path, GMAIL_COM_X_Envelope_From, UKR_NET_From, UKR_NET_Return_Path,
+ UKR_NET_X_Envelope_From, RECEIVED_smtp_yandex_ru_1, RECEIVED_smtp_yandex_ru_2,
+ RECEIVED_smtp_yandex_ru_3, RECEIVED_smtp_yandex_ru_4, RECEIVED_smtp_yandex_ru_5,
+ RECEIVED_smtp_yandex_ru_6, RECEIVED_smtp_yandex_ru_7, RECEIVED_smtp_yandex_ru_8,
+ RECEIVED_smtp_yandex_ru_9),
score = 4.0,
description = 'Fake smtp.yandex.ru Received',
group = 'headers'
@@ -836,11 +862,11 @@ reconf['CTE_CASE'] = {
reconf['HAS_INTERSPIRE_SIG'] = {
re = string.format('((%s) & (%s) & (%s) & (%s)) | (%s)',
- 'header_exists(X-Mailer-LID)',
- 'header_exists(X-Mailer-RecptId)',
- 'header_exists(X-Mailer-SID)',
- 'header_exists(X-Mailer-Sent-By)',
- 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
+ 'header_exists(X-Mailer-LID)',
+ 'header_exists(X-Mailer-RecptId)',
+ 'header_exists(X-Mailer-SID)',
+ 'header_exists(X-Mailer-Sent-By)',
+ 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
description = "Has Interspire fingerprint",
score = 1.0,
group = 'headers'
@@ -924,10 +950,10 @@ reconf['HAS_LIST_UNSUB'] = {
}
reconf['HAS_GUC_PROXY_URI'] = {
- re = '/\\.googleusercontent\\.com\\/proxy/{url}i',
- description = 'Has googleusercontent.com proxy URI',
- score = 0.01,
- group = 'experimental'
+ re = '/\\.googleusercontent\\.com\\/proxy/{url}i',
+ description = 'Has googleusercontent.com proxy URI',
+ score = 0.01,
+ group = 'experimental'
}
reconf['HAS_GOOGLE_REDIR'] = {
@@ -939,10 +965,10 @@ reconf['HAS_GOOGLE_REDIR'] = {
reconf['XM_UA_NO_VERSION'] = {
re = string.format('(!%s && !%s) && (%s || %s)',
- 'X-Mailer=/https?:/H',
- 'User-Agent=/https?:/H',
- 'X-Mailer=/^[^0-9]+$/H',
- 'User-Agent=/^[^0-9]+$/H'),
+ 'X-Mailer=/https?:/H',
+ 'User-Agent=/https?:/H',
+ 'X-Mailer=/^[^0-9]+$/H',
+ 'User-Agent=/^[^0-9]+$/H'),
description = 'X-Mailer/User-Agent has no version',
score = 0.01,
group = 'experimental'
@@ -997,7 +1023,7 @@ local apple_ios_x_mailer = [[i(?:Phone|Pad) Mail \((?:1[AC]|[34][AB]|5[ABCFGH]|7
reconf['FORGED_X_MAILER'] = {
description = 'Forged X-Mailer header',
re = string.format('X-Mailer=/^(?:%s)/{header} && !X-Mailer=/^%s/{header}',
- table.concat(bad_x_mailers, '|'), apple_ios_x_mailer),
+ table.concat(bad_x_mailers, '|'), apple_ios_x_mailer),
score = 4.5,
group = 'headers',
}