diff options
Diffstat (limited to 'rules/regexp')
| -rw-r--r-- | rules/regexp/headers.lua | 40 | ||||
| -rw-r--r-- | rules/regexp/urls.lua | 31 |
2 files changed, 41 insertions, 30 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index 44fa964e3..1b5f55db1 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -69,6 +69,14 @@ if rspamd_config:is_mime_utf8() then end end +reconf['R_HTTP_URL_IN_FROM'] = { + re = [[From=/(^|"|'|\s)[hH][tT][tT][pP][sS]?(:|=3A)\/\/\S/H]], + score = 5.0, + mime_only = true, + description = 'HTTP URL preceded by the start of a line, quote, or whitespace, with normal or URL-encoded colons in From header', + group = 'headers' +} + -- Detects that there is no space in From header (e.g. Some Name<some@host>) reconf['R_NO_SPACE_IN_FROM'] = { re = 'From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X', @@ -460,7 +468,7 @@ local user_agent_mozilla = string.format('(%s) & !(%s) & !(%s) & !(%s)', user_ag user_agent_seamonkey, user_agent_postbox) -- Mozilla based common Message-ID template local mozilla_msgid_common = 'Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' -local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H' +local mozilla_msgid_common_sec = 'Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/Hi' local mozilla_msgid = 'Message-ID=/^\\s*<(3[3-9A-F]|[4-9A-F][\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H' -- Summary rule for forged Mozilla Mail Message-ID header reconf['FORGED_MUA_MOZILLA_MAIL_MSGID'] = { @@ -644,7 +652,7 @@ reconf['REPTO_QUOTE_YAHOO'] = { } reconf['FAKE_REPLY'] = { - re = [[Subject=/^re:/i{header} & !(header_exists(In-Reply-To) | header_exists(References))]], + re = [[Subject=/^(antw|atb|aw|bls|odp|res?|rif|sv|ynt)[. ]*:/i{header} & !(header_exists(In-Reply-To) | header_exists(References))]], description = 'Fake reply', score = 1.0, group = 'headers' @@ -945,34 +953,6 @@ reconf['HAS_LIST_UNSUB'] = { group = 'headers' } -reconf['HAS_GUC_PROXY_URI'] = { - re = '/\\.googleusercontent\\.com\\/proxy/{url}i', - description = 'Has googleusercontent.com proxy URL', - score = 1.0, - group = 'url' -} - -reconf['HAS_GOOGLE_REDIR'] = { - re = '/\\.google\\.([a-z]{2,3}(|\\.[a-z]{2,3})|info|jobs)\\/(amp\\/s\\/|url\\?)/{url}i', - description = 'Has google.com/url or alike Google redirection URL', - score = 1.0, - group = 'url' -} - -reconf['HAS_GOOGLE_FIREBASE_URL'] = { - re = '/\\.firebasestorage\\.googleapis\\.com\\//{url}i', - description = 'Contains firebasestorage.googleapis.com URL', - score = 2.0, - group = 'url' -} - -reconf['HAS_FILE_URL'] = { - re = '/^file:\\/\\//{url}i', - description = 'Contains file:// URL', - score = 2.0, - group = 'url' -} - reconf['XM_UA_NO_VERSION'] = { re = string.format('(!%s && !%s) && (%s || %s) && !%s', 'X-Mailer=/https?:/H', diff --git a/rules/regexp/urls.lua b/rules/regexp/urls.lua new file mode 100644 index 000000000..6dc99f008 --- /dev/null +++ b/rules/regexp/urls.lua @@ -0,0 +1,31 @@ + +local reconf = config['regexp'] + +reconf['HAS_GUC_PROXY_URI'] = { + re = '/[\\.\\/]googleusercontent\\.com\\/proxy/{url}i', + description = 'Has googleusercontent.com proxy URL', + score = 1.0, + group = 'url' +} + +reconf['HAS_GOOGLE_REDIR'] = { + re = '/[\\.\\/]google\\.([a-z]{2,3}(|\\.[a-z]{2,3})|info|jobs)\\/(amp\\/s\\/|url\\?)/{url}i', + description = 'Has google.com/url or alike Google redirection URL', + score = 1.0, + group = 'url' +} + +reconf['HAS_GOOGLE_FIREBASE_URL'] = { + re = '/[\\.\\/]firebasestorage\\.googleapis\\.com\\//{url}i', + description = 'Contains firebasestorage.googleapis.com URL', + score = 2.0, + group = 'url' +} + +reconf['HAS_FILE_URL'] = { + re = '/^file:\\/\\//{url}i', + description = 'Contains file:// URL', + score = 2.0, + group = 'url' +} + |