diff options
Diffstat (limited to 'rules/regexp')
-rw-r--r-- | rules/regexp/compromised_hosts.lua | 50 | ||||
-rw-r--r-- | rules/regexp/headers.lua | 91 | ||||
-rw-r--r-- | rules/regexp/misc.lua | 10 | ||||
-rw-r--r-- | rules/regexp/upstream_spam_filters.lua | 4 |
4 files changed, 88 insertions, 67 deletions
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua index cfd560bc2..e120b181b 100644 --- a/rules/regexp/compromised_hosts.lua +++ b/rules/regexp/compromised_hosts.lua @@ -44,10 +44,12 @@ reconf['HAS_X_SOURCE'] = { -- X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si rspamd_config.HAS_X_AS = { - callback = function (task) + callback = function(task) local xas = task:get_header('X-Authenticated-Sender') - if not xas then return false end - local _,_,auth = xas:find('[^:]+:%s(.+)$') + if not xas then + return false + end + local _, _, auth = xas:find('[^:]+:%s(.+)$') if auth then -- TODO: see if we can parse an e-mail address from auth -- and see if it matches the from address or not @@ -63,10 +65,12 @@ rspamd_config.HAS_X_AS = { -- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si rspamd_config.HAS_X_GMSV = { - callback = function (task) + callback = function(task) local xgmsv = task:get_header('X-Get-Message-Sender-Via') - if not xgmsv then return false end - local _,_,auth = xgmsv:find('authenticated_id: (.+)$') + if not xgmsv then + return false + end + local _, _, auth = xgmsv:find('authenticated_id: (.+)$') if auth then -- TODO: see if we can parse an e-mail address from auth -- and see if it matches the from address or not. @@ -146,21 +150,21 @@ reconf['HIDDEN_SOURCE_OBJ'] = { group = "compromised_hosts" } -local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/'.. +local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/' .. '\\.[A-Za-z0-9]|\\/\\.\\.\\/)/i') rspamd_config.URI_HIDDEN_PATH = { - callback = function (task) + callback = function(task) local urls = task:get_urls(false) if (urls) then - for _, url in ipairs(urls) do - if (not (url:is_subject() and url:is_html_displayed())) then - local path = url:get_path() - if (hidden_uri_re:match(path)) then - -- TODO: need url:is_schemeless() to improve this - return true, 1.0, url:get_text() - end - end + for _, url in ipairs(urls) do + if (not (url:is_subject() and url:is_html_displayed())) then + local path = url:get_path() + if (hidden_uri_re:match(path)) then + -- TODO: need url:is_schemeless() to improve this + return true, 1.0, url:get_text() + end end + end end end, description = 'Message contains URI with a hidden path', @@ -176,19 +180,23 @@ reconf['MID_RHS_WWW'] = { } rspamd_config.FROM_SERVICE_ACCT = { - callback = function (task) + callback = function(task) local re = rspamd_regexp.create_cached('/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i'); -- From local from = task:get_from(2) if (from and from[1]) then - if (re:match(from[1].addr)) then return true end + if (re:match(from[1].addr)) then + return true + end end -- Sender local sender = task:get_header('Sender') if sender then local s = util.parse_mail_address(sender, task:get_mempool()) if (s and s[1]) then - if (re:match(s[1].addr)) then return true end + if (re:match(s[1].addr)) then + return true + end end end -- Reply-To @@ -196,7 +204,9 @@ rspamd_config.FROM_SERVICE_ACCT = { if replyto then local rt = util.parse_mail_address(replyto, task:get_mempool()) if (rt and rt[1]) then - if (re:match(rt[1].addr)) then return true end + if (re:match(rt[1].addr)) then + return true + end end end end, diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index 42c08ca3f..b634dd909 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -380,8 +380,8 @@ reconf['SUSPICIOUS_BOUNDARY3'] = { group = 'mua' } -- Forged OE/MSO boundary -local suspicious_boundary_01C4 = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX' -local suspicious_boundary_01C4_date = 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/' +local suspicious_boundary_01C4 = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX' +local suspicious_boundary_01C4_date = 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/' reconf['SUSPICIOUS_BOUNDARY4'] = { re = string.format('(%s) & (%s)', suspicious_boundary_01C4, suspicious_boundary_01C4_date), score = 4.0, @@ -439,24 +439,27 @@ reconf['FORGED_MUA_OPERA_MSGID'] = { -- Detect forged Mozilla Mail/Thunderbird/Seamonkey/Postbox headers -- Mozilla based X-Mailer -local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/H' -local user_agent_thunderbird = 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Betterbird|Icedove)\\/)/H' -local user_agent_seamonkey = 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H' -local user_agent_postbox = [[User-Agent=/^\s*Mozilla\/5\.0\s\([^)]+\)\sGecko\/\d+\sPostboxApp\/\d+(?:\.\d+){2,3}$/H]] -local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird, user_agent_seamonkey, user_agent_postbox) +local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/H' +local user_agent_thunderbird = 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Betterbird|Icedove)\\/)/H' +local user_agent_seamonkey = 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H' +local user_agent_postbox = [[User-Agent=/^\s*Mozilla\/5\.0\s\([^)]+\)\sGecko\/\d+\sPostboxApp\/\d+(?:\.\d+){2,3}$/H]] +local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird, + user_agent_seamonkey, user_agent_postbox) -- Mozilla based common Message-ID template -local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' -local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' -local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|[4-9A-F][\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H' +local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' +local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' +local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|[4-9A-F][\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H' -- Summary rule for forged Mozilla Mail Message-ID header reconf['FORGED_MUA_MOZILLA_MAIL_MSGID'] = { - re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, + unusable_msgid), score = 4.0, description = 'Message pretends to be send from Mozilla Mail but has forged Message-ID', group = 'mua' } reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = { - re = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, + unusable_msgid), score = 2.5, description = 'Message pretends to be send from Mozilla Mail but has forged Message-ID', group = 'mua' @@ -464,39 +467,45 @@ reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = { -- Summary rule for forged Thunderbird Message-ID header reconf['FORGED_MUA_THUNDERBIRD_MSGID'] = { - re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, + unusable_msgid), score = 4.0, description = 'Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID', group = 'mua' } reconf['FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN'] = { - re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, + mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), score = 2.5, description = 'Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID', group = 'mua' } -- Summary rule for forged Seamonkey Message-ID header reconf['FORGED_MUA_SEAMONKEY_MSGID'] = { - re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, + unusable_msgid), score = 4.0, description = 'Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID', group = 'mua' } reconf['FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN'] = { - re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, + mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), score = 2.5, description = 'Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID', group = 'mua' } -- Summary rule for forged Postbox Message-ID header reconf['FORGED_MUA_POSTBOX_MSGID'] = { - re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid, + unusable_msgid), score = 4.0, description = 'Forged mail pretending to be from Postbox but has forged Message-ID', group = 'mua' } reconf['FORGED_MUA_POSTBOX_MSGID_UNKNOWN'] = { - re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), + re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, + mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid), score = 2.5, description = 'Forged mail pretending to be from Postbox but has forged Message-ID', group = 'mua' @@ -647,8 +656,10 @@ reconf['MISSING_MIMEOLE'] = { -- Empty delimiters between header names and header values local function gen_check_header_delimiter_empty(header_name) return function(task) - for _,rh in ipairs(task:get_header_full(header_name) or {}) do - if rh['empty_separator'] then return true end + for _, rh in ipairs(task:get_header_full(header_name) or {}) do + if rh['empty_separator'] then + return true + end end return false end @@ -707,10 +718,10 @@ reconf['RCVD_ILLEGAL_CHARS'] = { group = 'headers' } -local MAIL_RU_Return_Path = 'Return-path=/^\\s*<.+\\@mail\\.ru>$/iX' -local MAIL_RU_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX' -local MAIL_RU_From = 'From=/\\@mail\\.ru>?$/iX' -local MAIL_RU_Received = 'Received=/from mail\\.ru \\(/mH' +local MAIL_RU_Return_Path = 'Return-path=/^\\s*<.+\\@mail\\.ru>$/iX' +local MAIL_RU_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX' +local MAIL_RU_From = 'From=/\\@mail\\.ru>?$/iX' +local MAIL_RU_Received = 'Received=/from mail\\.ru \\(/mH' reconf['FAKE_RECEIVED_mail_ru'] = { re = string.format('(%s) & !(((%s) | (%s)) & (%s))', @@ -720,26 +731,26 @@ reconf['FAKE_RECEIVED_mail_ru'] = { group = 'headers' } -local GMAIL_COM_Return_Path = 'Return-path=/^\\s*<.+\\@gmail\\.com>$/iX' -local GMAIL_COM_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX' -local GMAIL_COM_From = 'From=/\\@gmail\\.com>?$/iX' +local GMAIL_COM_Return_Path = 'Return-path=/^\\s*<.+\\@gmail\\.com>$/iX' +local GMAIL_COM_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX' +local GMAIL_COM_From = 'From=/\\@gmail\\.com>?$/iX' -local UKR_NET_Return_Path = 'Return-path=/^\\s*<.+\\@ukr\\.net>$/iX' -local UKR_NET_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX' -local UKR_NET_From = 'From=/\\@ukr\\.net>?$/iX' +local UKR_NET_Return_Path = 'Return-path=/^\\s*<.+\\@ukr\\.net>$/iX' +local UKR_NET_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX' +local UKR_NET_From = 'From=/\\@ukr\\.net>?$/iX' -local RECEIVED_smtp_yandex_ru_1 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX' -local RECEIVED_smtp_yandex_ru_2 = 'Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX' -local RECEIVED_smtp_yandex_ru_3 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX' -local RECEIVED_smtp_yandex_ru_4 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX' -local RECEIVED_smtp_yandex_ru_5 = 'Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX' -local RECEIVED_smtp_yandex_ru_6 = 'Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX' -local RECEIVED_smtp_yandex_ru_7 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX' -local RECEIVED_smtp_yandex_ru_8 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX' -local RECEIVED_smtp_yandex_ru_9 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX' +local RECEIVED_smtp_yandex_ru_1 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX' +local RECEIVED_smtp_yandex_ru_2 = 'Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX' +local RECEIVED_smtp_yandex_ru_3 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX' +local RECEIVED_smtp_yandex_ru_4 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX' +local RECEIVED_smtp_yandex_ru_5 = 'Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX' +local RECEIVED_smtp_yandex_ru_6 = 'Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX' +local RECEIVED_smtp_yandex_ru_7 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX' +local RECEIVED_smtp_yandex_ru_8 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX' +local RECEIVED_smtp_yandex_ru_9 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX' reconf['FAKE_RECEIVED_smtp_yandex_ru'] = { - re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) '.. + re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) ' .. ' | ((%s) & ((%s) | (%s)))) & (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s)', MAIL_RU_From, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, GMAIL_COM_From, GMAIL_COM_Return_Path, GMAIL_COM_X_Envelope_From, UKR_NET_From, UKR_NET_Return_Path, diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua index 4caa5da42..d723f2901 100644 --- a/rules/regexp/misc.lua +++ b/rules/regexp/misc.lua @@ -55,10 +55,10 @@ reconf['INTRODUCTION'] = { local onion_uri_v2 = '/[a-z0-9]{16}\\.onion?/{url}i' local onion_uri_v3 = '/[a-z0-9]{56}\\.onion?/{url}i' reconf['HAS_ONION_URI'] = { - re = string.format('(%s | %s)', onion_uri_v2, onion_uri_v3), - description = 'Contains .onion hidden service URI', - score = 0.0, - group = 'url' + re = string.format('(%s | %s)', onion_uri_v2, onion_uri_v3), + description = 'Contains .onion hidden service URI', + score = 0.0, + group = 'url' } local my_victim = [[/(?:victim|prey)/{words}]] @@ -82,7 +82,7 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = { check_data_images = function(task) local tp = task:get_text_parts() or {} - for _,p in ipairs(tp) do + for _, p in ipairs(tp) do if p:is_html() then local hc = p:get_html() diff --git a/rules/regexp/upstream_spam_filters.lua b/rules/regexp/upstream_spam_filters.lua index b88e85709..b92f473b5 100644 --- a/rules/regexp/upstream_spam_filters.lua +++ b/rules/regexp/upstream_spam_filters.lua @@ -52,8 +52,8 @@ reconf['SPAM_FLAG'] = { reconf['UNITEDINTERNET_SPAM'] = { re = string.format('%s || %s', - 'X-UI-Filterresults=/^junk:/H', - 'X-UI-Out-Filterresults=/^junk:/H'), + 'X-UI-Filterresults=/^junk:/H', + 'X-UI-Out-Filterresults=/^junk:/H'), score = 5.0, description = "United Internet says this message is spam", group = 'upstream_spam_filters' |