aboutsummaryrefslogtreecommitdiffstats
path: root/rules/regexp
diff options
context:
space:
mode:
Diffstat (limited to 'rules/regexp')
-rw-r--r--rules/regexp/compromised_hosts.lua50
-rw-r--r--rules/regexp/headers.lua91
-rw-r--r--rules/regexp/misc.lua10
-rw-r--r--rules/regexp/upstream_spam_filters.lua4
4 files changed, 88 insertions, 67 deletions
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index cfd560bc2..e120b181b 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -44,10 +44,12 @@ reconf['HAS_X_SOURCE'] = {
-- X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si
rspamd_config.HAS_X_AS = {
- callback = function (task)
+ callback = function(task)
local xas = task:get_header('X-Authenticated-Sender')
- if not xas then return false end
- local _,_,auth = xas:find('[^:]+:%s(.+)$')
+ if not xas then
+ return false
+ end
+ local _, _, auth = xas:find('[^:]+:%s(.+)$')
if auth then
-- TODO: see if we can parse an e-mail address from auth
-- and see if it matches the from address or not
@@ -63,10 +65,12 @@ rspamd_config.HAS_X_AS = {
-- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si
rspamd_config.HAS_X_GMSV = {
- callback = function (task)
+ callback = function(task)
local xgmsv = task:get_header('X-Get-Message-Sender-Via')
- if not xgmsv then return false end
- local _,_,auth = xgmsv:find('authenticated_id: (.+)$')
+ if not xgmsv then
+ return false
+ end
+ local _, _, auth = xgmsv:find('authenticated_id: (.+)$')
if auth then
-- TODO: see if we can parse an e-mail address from auth
-- and see if it matches the from address or not.
@@ -146,21 +150,21 @@ reconf['HIDDEN_SOURCE_OBJ'] = {
group = "compromised_hosts"
}
-local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/'..
+local hidden_uri_re = rspamd_regexp.create_cached('/(?!\\/\\.well[-_]known\\/)(?:^\\.[A-Za-z0-9]|\\/' ..
'\\.[A-Za-z0-9]|\\/\\.\\.\\/)/i')
rspamd_config.URI_HIDDEN_PATH = {
- callback = function (task)
+ callback = function(task)
local urls = task:get_urls(false)
if (urls) then
- for _, url in ipairs(urls) do
- if (not (url:is_subject() and url:is_html_displayed())) then
- local path = url:get_path()
- if (hidden_uri_re:match(path)) then
- -- TODO: need url:is_schemeless() to improve this
- return true, 1.0, url:get_text()
- end
- end
+ for _, url in ipairs(urls) do
+ if (not (url:is_subject() and url:is_html_displayed())) then
+ local path = url:get_path()
+ if (hidden_uri_re:match(path)) then
+ -- TODO: need url:is_schemeless() to improve this
+ return true, 1.0, url:get_text()
+ end
end
+ end
end
end,
description = 'Message contains URI with a hidden path',
@@ -176,19 +180,23 @@ reconf['MID_RHS_WWW'] = {
}
rspamd_config.FROM_SERVICE_ACCT = {
- callback = function (task)
+ callback = function(task)
local re = rspamd_regexp.create_cached('/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i');
-- From
local from = task:get_from(2)
if (from and from[1]) then
- if (re:match(from[1].addr)) then return true end
+ if (re:match(from[1].addr)) then
+ return true
+ end
end
-- Sender
local sender = task:get_header('Sender')
if sender then
local s = util.parse_mail_address(sender, task:get_mempool())
if (s and s[1]) then
- if (re:match(s[1].addr)) then return true end
+ if (re:match(s[1].addr)) then
+ return true
+ end
end
end
-- Reply-To
@@ -196,7 +204,9 @@ rspamd_config.FROM_SERVICE_ACCT = {
if replyto then
local rt = util.parse_mail_address(replyto, task:get_mempool())
if (rt and rt[1]) then
- if (re:match(rt[1].addr)) then return true end
+ if (re:match(rt[1].addr)) then
+ return true
+ end
end
end
end,
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 42c08ca3f..b634dd909 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -380,8 +380,8 @@ reconf['SUSPICIOUS_BOUNDARY3'] = {
group = 'mua'
}
-- Forged OE/MSO boundary
-local suspicious_boundary_01C4 = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX'
-local suspicious_boundary_01C4_date = 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/'
+local suspicious_boundary_01C4 = 'Content-Type=/^\\s*multipart.+boundary="----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}"[\\r\\n]*$/siX'
+local suspicious_boundary_01C4_date = 'Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/'
reconf['SUSPICIOUS_BOUNDARY4'] = {
re = string.format('(%s) & (%s)', suspicious_boundary_01C4, suspicious_boundary_01C4_date),
score = 4.0,
@@ -439,24 +439,27 @@ reconf['FORGED_MUA_OPERA_MSGID'] = {
-- Detect forged Mozilla Mail/Thunderbird/Seamonkey/Postbox headers
-- Mozilla based X-Mailer
-local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/H'
-local user_agent_thunderbird = 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Betterbird|Icedove)\\/)/H'
-local user_agent_seamonkey = 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H'
-local user_agent_postbox = [[User-Agent=/^\s*Mozilla\/5\.0\s\([^)]+\)\sGecko\/\d+\sPostboxApp\/\d+(?:\.\d+){2,3}$/H]]
-local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird, user_agent_seamonkey, user_agent_postbox)
+local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/H'
+local user_agent_thunderbird = 'User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Betterbird|Icedove)\\/)/H'
+local user_agent_seamonkey = 'User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H'
+local user_agent_postbox = [[User-Agent=/^\s*Mozilla\/5\.0\s\([^)]+\)\sGecko\/\d+\sPostboxApp\/\d+(?:\.\d+){2,3}$/H]]
+local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla5, user_agent_thunderbird,
+ user_agent_seamonkey, user_agent_postbox)
-- Mozilla based common Message-ID template
-local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
-local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
-local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|[4-9A-F][\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
+local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
+local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
+local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|[4-9A-F][\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H'
-- Summary rule for forged Mozilla Mail Message-ID header
reconf['FORGED_MUA_MOZILLA_MAIL_MSGID'] = {
- re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid,
+ unusable_msgid),
score = 4.0,
description = 'Message pretends to be send from Mozilla Mail but has forged Message-ID',
group = 'mua'
}
reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = {
- re = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_agent_mozilla, mozilla_msgid_common, mozilla_msgid,
+ unusable_msgid),
score = 2.5,
description = 'Message pretends to be send from Mozilla Mail but has forged Message-ID',
group = 'mua'
@@ -464,39 +467,45 @@ reconf['FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN'] = {
-- Summary rule for forged Thunderbird Message-ID header
reconf['FORGED_MUA_THUNDERBIRD_MSGID'] = {
- re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid,
+ unusable_msgid),
score = 4.0,
description = 'Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID',
group = 'mua'
}
reconf['FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN'] = {
- re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_thunderbird, mozilla_msgid_common,
+ mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
score = 2.5,
description = 'Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID',
group = 'mua'
}
-- Summary rule for forged Seamonkey Message-ID header
reconf['FORGED_MUA_SEAMONKEY_MSGID'] = {
- re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid,
+ unusable_msgid),
score = 4.0,
description = 'Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID',
group = 'mua'
}
reconf['FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN'] = {
- re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_seamonkey, mozilla_msgid_common,
+ mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
score = 2.5,
description = 'Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID',
group = 'mua'
}
-- Summary rule for forged Postbox Message-ID header
reconf['FORGED_MUA_POSTBOX_MSGID'] = {
- re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & (%s) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid,
+ unusable_msgid),
score = 4.0,
description = 'Forged mail pretending to be from Postbox but has forged Message-ID',
group = 'mua'
}
reconf['FORGED_MUA_POSTBOX_MSGID_UNKNOWN'] = {
- re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common, mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
+ re = string.format('(%s) & !((%s) | (%s)) & !(%s) & !(%s)', user_agent_postbox, mozilla_msgid_common,
+ mozilla_msgid_common_sec, mozilla_msgid, unusable_msgid),
score = 2.5,
description = 'Forged mail pretending to be from Postbox but has forged Message-ID',
group = 'mua'
@@ -647,8 +656,10 @@ reconf['MISSING_MIMEOLE'] = {
-- Empty delimiters between header names and header values
local function gen_check_header_delimiter_empty(header_name)
return function(task)
- for _,rh in ipairs(task:get_header_full(header_name) or {}) do
- if rh['empty_separator'] then return true end
+ for _, rh in ipairs(task:get_header_full(header_name) or {}) do
+ if rh['empty_separator'] then
+ return true
+ end
end
return false
end
@@ -707,10 +718,10 @@ reconf['RCVD_ILLEGAL_CHARS'] = {
group = 'headers'
}
-local MAIL_RU_Return_Path = 'Return-path=/^\\s*<.+\\@mail\\.ru>$/iX'
-local MAIL_RU_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX'
-local MAIL_RU_From = 'From=/\\@mail\\.ru>?$/iX'
-local MAIL_RU_Received = 'Received=/from mail\\.ru \\(/mH'
+local MAIL_RU_Return_Path = 'Return-path=/^\\s*<.+\\@mail\\.ru>$/iX'
+local MAIL_RU_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX'
+local MAIL_RU_From = 'From=/\\@mail\\.ru>?$/iX'
+local MAIL_RU_Received = 'Received=/from mail\\.ru \\(/mH'
reconf['FAKE_RECEIVED_mail_ru'] = {
re = string.format('(%s) & !(((%s) | (%s)) & (%s))',
@@ -720,26 +731,26 @@ reconf['FAKE_RECEIVED_mail_ru'] = {
group = 'headers'
}
-local GMAIL_COM_Return_Path = 'Return-path=/^\\s*<.+\\@gmail\\.com>$/iX'
-local GMAIL_COM_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX'
-local GMAIL_COM_From = 'From=/\\@gmail\\.com>?$/iX'
+local GMAIL_COM_Return_Path = 'Return-path=/^\\s*<.+\\@gmail\\.com>$/iX'
+local GMAIL_COM_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX'
+local GMAIL_COM_From = 'From=/\\@gmail\\.com>?$/iX'
-local UKR_NET_Return_Path = 'Return-path=/^\\s*<.+\\@ukr\\.net>$/iX'
-local UKR_NET_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX'
-local UKR_NET_From = 'From=/\\@ukr\\.net>?$/iX'
+local UKR_NET_Return_Path = 'Return-path=/^\\s*<.+\\@ukr\\.net>$/iX'
+local UKR_NET_X_Envelope_From = 'X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX'
+local UKR_NET_From = 'From=/\\@ukr\\.net>?$/iX'
-local RECEIVED_smtp_yandex_ru_1 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX'
-local RECEIVED_smtp_yandex_ru_2 = 'Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX'
-local RECEIVED_smtp_yandex_ru_3 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX'
-local RECEIVED_smtp_yandex_ru_4 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX'
-local RECEIVED_smtp_yandex_ru_5 = 'Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX'
-local RECEIVED_smtp_yandex_ru_6 = 'Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX'
-local RECEIVED_smtp_yandex_ru_7 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX'
-local RECEIVED_smtp_yandex_ru_8 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX'
-local RECEIVED_smtp_yandex_ru_9 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX'
+local RECEIVED_smtp_yandex_ru_1 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX'
+local RECEIVED_smtp_yandex_ru_2 = 'Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX'
+local RECEIVED_smtp_yandex_ru_3 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX'
+local RECEIVED_smtp_yandex_ru_4 = 'Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX'
+local RECEIVED_smtp_yandex_ru_5 = 'Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX'
+local RECEIVED_smtp_yandex_ru_6 = 'Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX'
+local RECEIVED_smtp_yandex_ru_7 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX'
+local RECEIVED_smtp_yandex_ru_8 = 'Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX'
+local RECEIVED_smtp_yandex_ru_9 = 'Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX'
reconf['FAKE_RECEIVED_smtp_yandex_ru'] = {
- re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) '..
+ re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) ' ..
' | ((%s) & ((%s) | (%s)))) & (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s)',
MAIL_RU_From, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, GMAIL_COM_From,
GMAIL_COM_Return_Path, GMAIL_COM_X_Envelope_From, UKR_NET_From, UKR_NET_Return_Path,
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 4caa5da42..d723f2901 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -55,10 +55,10 @@ reconf['INTRODUCTION'] = {
local onion_uri_v2 = '/[a-z0-9]{16}\\.onion?/{url}i'
local onion_uri_v3 = '/[a-z0-9]{56}\\.onion?/{url}i'
reconf['HAS_ONION_URI'] = {
- re = string.format('(%s | %s)', onion_uri_v2, onion_uri_v3),
- description = 'Contains .onion hidden service URI',
- score = 0.0,
- group = 'url'
+ re = string.format('(%s | %s)', onion_uri_v2, onion_uri_v3),
+ description = 'Contains .onion hidden service URI',
+ score = 0.0,
+ group = 'url'
}
local my_victim = [[/(?:victim|prey)/{words}]]
@@ -82,7 +82,7 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = {
check_data_images = function(task)
local tp = task:get_text_parts() or {}
- for _,p in ipairs(tp) do
+ for _, p in ipairs(tp) do
if p:is_html() then
local hc = p:get_html()
diff --git a/rules/regexp/upstream_spam_filters.lua b/rules/regexp/upstream_spam_filters.lua
index b88e85709..b92f473b5 100644
--- a/rules/regexp/upstream_spam_filters.lua
+++ b/rules/regexp/upstream_spam_filters.lua
@@ -52,8 +52,8 @@ reconf['SPAM_FLAG'] = {
reconf['UNITEDINTERNET_SPAM'] = {
re = string.format('%s || %s',
- 'X-UI-Filterresults=/^junk:/H',
- 'X-UI-Out-Filterresults=/^junk:/H'),
+ 'X-UI-Filterresults=/^junk:/H',
+ 'X-UI-Out-Filterresults=/^junk:/H'),
score = 5.0,
description = "United Internet says this message is spam",
group = 'upstream_spam_filters'