From 8b0c9d52554909656b8db2d8c93d8d680776de0b Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 14 Jun 2016 09:15:36 +0100
Subject: [Feature] Add openphish support to rspamd phishing module

---
 conf/metrics.conf            |  6 +++++-
 conf/modules.d/phishing.conf |  1 +
 src/plugins/lua/phishing.lua | 43 ++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/conf/metrics.conf b/conf/metrics.conf
index a3c8b27c8..aa4dab022 100644
--- a/conf/metrics.conf
+++ b/conf/metrics.conf
@@ -834,9 +834,13 @@ metric {
     group "phishing" {
         symbol "PHISHING" {
             weight = 4.0;
-            description = "Phished mail";
+            description = "Phished URL";
             one_shot = true;
         }
+        symbol "PHISHED_OPENPHISH" {
+            weight = 7.0;
+            description = "Phished URL found in openphish.com";
+        }
     }
 
     group "date" {
diff --git a/conf/modules.d/phishing.conf b/conf/modules.d/phishing.conf
index c1b63909a..392708cde 100644
--- a/conf/modules.d/phishing.conf
+++ b/conf/modules.d/phishing.conf
@@ -18,6 +18,7 @@ phishing {
     .include(try=true,priority=1) "$LOCAL_CONFDIR/local.d/phishing.conf"
     .include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/phishing.conf"
     symbol = "PHISHING";
+    openphish_map = "https://www.openphish.com/feed.txt";
 
     # Make exclusions for known redirectors
     redirector_domains = [
diff --git a/src/plugins/lua/phishing.lua b/src/plugins/lua/phishing.lua
index ecf88679f..22a792223 100644
--- a/src/plugins/lua/phishing.lua
+++ b/src/plugins/lua/phishing.lua
@@ -18,9 +18,12 @@ limitations under the License.
 --
 --
 local symbol = 'PHISHED_URL'
+local openphish_symbol = 'PHISHED_OPENPHISH'
 local domains = nil
 local strict_domains = {}
 local redirector_domains = {}
+local openphish_map = 'https://www.openphish.com/feed.txt'
+local openphish_hash
 local rspamd_logger = require "rspamd_logger"
 local util = require "rspamd_util"
 local opts = rspamd_config:get_all_opt('phishing')
@@ -30,6 +33,14 @@ local function phishing_cb(task)
 
   if urls then
     for _,url in ipairs(urls) do
+      if openphish_hash then
+        local t = url:get_text()
+
+        if openphish_hash:get_key(t) then
+          task:insert_result(openphish_symbol, 1.0, url:get_tld())
+        end
+      end
+
       if url:is_phished() and not url:is_redirected() then
         local found = false
         local purl = url:get_phished()
@@ -94,7 +105,11 @@ local function phishing_map(mapname, phishmap)
         local sym = string.sub(d, s + 1, -1)
         local map = string.sub(d, 1, s - 1)
         rspamd_config:register_virtual_symbol(sym, 1, id)
-        local rmap = rspamd_config:add_hash_map (map, 'Phishing ' .. mapname .. ' map')
+        local rmap = rspamd_config:add_map ({
+          type = 'set',
+          url = map,
+          description = 'Phishing ' .. mapname .. ' map',
+        })
         if rmap then
           local rule = {symbol = sym, map = rmap}
           table.insert(phishmap, rule)
@@ -113,13 +128,35 @@ if opts then
   if opts['symbol'] then
     symbol = opts['symbol']
     -- Register symbol's callback
-    rspamd_config:register_symbol({
+    local id = rspamd_config:register_symbol({
       name = symbol,
       callback = phishing_cb
     })
+
+    if opts['openphish_map'] then
+      openphish_map = opts['openphish_map']
+    end
+
+    openphish_hash = rspamd_config:add_map({
+      type = 'set',
+      url = openphish_map,
+      description = 'Open phishing feed map (see https://www.openphish.com for details)'
+    })
+
+    if openphish_hash then
+      rspamd_config:register_symbol({
+        type = 'virtual',
+        parent = id,
+        name = openphish_symbol,
+      })
+    end
   end
   if opts['domains'] and type(opt['domains']) == 'string' then
-    domains = rspamd_config:add_hash_map (opts['domains'])
+    domains = rspamd_config:add_map({
+      url = opts['domains'],
+      type = 'set',
+      description = 'Phishing domains'
+    })
   end
   phishing_map('strict_domains', strict_domains)
   phishing_map('redirector_domains', redirector_domains)
-- 
cgit v1.2.3