From 5c669479a0e0630f822929714332b615f11210a6 Mon Sep 17 00:00:00 2001 From: Steve Freegard Date: Mon, 21 Nov 2016 12:55:14 +0000 Subject: Rules updates --- rules/regexp/headers.lua | 91 ++++++++++++++++++++++++++++++++++++++++++++++++ rules/regexp/misc.lua | 39 +++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 rules/regexp/misc.lua (limited to 'rules/regexp') diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index ef0adc6b1..e5bce8cea 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -255,6 +255,22 @@ reconf['CC_EXCESS_QP'] = { group = 'excessqp' } +local subj_encoded_b64 = 'Subject=/\\=\\?\\S+\\?B\\?/iX' +local subj_needs_mime = 'Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr' +reconf['SUBJ_EXCESS_BASE64'] = { + re = string.format('%s & !%s', subj_encoded_b64, subj_needs_mime), + score = 1.5, + description = 'Subject is unnecessarily encoded in base64', + group = 'excessb64' +} + +local subj_encoded_qp = 'Subject=/\\=\\?\\S+\\?Q\\?/iX' +reconf['SUBJ_EXCESS_QP'] = { + re = string.format('%s & !%s', subj_encoded_qp, subj_needs_mime), + score = 1.2, + description = 'Subect is unnecessarily encoded in quoted-printable', + group = 'excessqp' +} -- Detect forged outlook headers -- OE X-Mailer header @@ -803,3 +819,78 @@ reconf['GOOGLE_FORWARDING_MID_BROKEN'] = { description = "Message had invalid Message-ID pre-forwarding", group = 'header' } + +reconf['CTE_CASE'] = { + re = 'Content-Transfer-Encoding=/^[78]BsX', + description = '[78]Bit .vs. [78]bit', + score = 0.5, + group = header' +} + +reconf['HAS_INTERSPIRE_SIG'] = { + re = string.format('((%s) & (%s) & (%s) & (%s)) | (%s)', + 'header_exists(X-Mailer-LID)', + 'header_exists(X-Mailer-RecptId)', + 'header_exists(X-Mailer-SID)', + 'header_exists(X-Mailer-Sent-By)', + 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'), + description = "Has Interspire fingerprint", + score = 3.0, + group = 'header' +} + +reconf['CT_EXTRA_SEMI'] = { + re = 'Content-Type=/;$/X', + description = 'Content-Type ends with a semi-colon', + score = 1.0, + group = 'header' +} + +reconf['SUBJECT_ENDS_EXCLAIM'] = { + re = 'Subject=/!\\s*$/H', + description = 'Subject ends with an exclaimation', + score = 1.0, + group = 'headers' +} + +reconf['SUBJECT_HAS_EXCLAIM'] = { + re = string.format('%s & !%s', 'Subject=/!/H', 'Subject=/!\\s*$/H'), + description = 'Subject contains an exclaimation', + score = 0.0, + group = 'headers' +} + +reconf['SUBJECT_ENDS_QUESTION'] = { + re = 'Subject=/\\?\\s*$/H', + description = 'Subject ends with a question', + score = 1.0, + group = 'headers' +} + +reconf['SUBJECT_HAS_QUESTION'] = { + re = string.format('%s & !%s', 'Subject=/\\?/H', 'Subject=/\\?\\s*$/H'), + description = 'Subject contains a question', + score = 0.0, + group = 'headers' +} + +reconf['SUBJECT_HAS_CURRENCY'] = { + re = 'Subject=/$€$¢¥₽/H', + description = 'Subject contains currency', + score = 1.0, + group = 'headers' +} + +reconf['SUBJECT_ENDS_SPACES'] = { + re = 'Subject=/\\s+$/H', + description = 'Subject ends with space characters', + score = 0.5, + group = 'headers' +} + +reconf['HAS_ORG_HEADER'] = { + re = string.format('%s || %s', 'header_exists(Organization)', 'header_exists(Organisation)'), + description = 'Has Organization header', + score = 0.0, + group = 'headers' +} diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua new file mode 100644 index 000000000..a819ec729 --- /dev/null +++ b/rules/regexp/misc.lua @@ -0,0 +1,39 @@ +--[[ +Copyright (c) 2011-2016, Vsevolod Stakhov + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +]]-- + + +local reconf = config['regexp'] + +reconf['HTML_META_REFRESH_URL'] = { + -- Requires options { check_attachements = true; } + re = '/