commit 17d100a: [Rules] Add PDF related rules
Vsevolod Stakhov
vsevolod at highsecure.ru
Wed Nov 27 14:56:06 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-11-27 14:53:27 +0000
URL: https://github.com/rspamd/rspamd/commit/17d100afebda176346bb7f929507a9eab49b6678 (HEAD -> master)
[Rules] Add PDF related rules
---
conf/groups.conf | 6 ++
.../{phishing_group.conf => content_group.conf} | 31 ++++----
rules/content.lua | 88 ++++++++++++++++++++++
rules/rspamd.lua | 1 +
4 files changed, 109 insertions(+), 17 deletions(-)
diff --git a/conf/groups.conf b/conf/groups.conf
index bf783cc2f..dcea1bcd0 100644
--- a/conf/groups.conf
+++ b/conf/groups.conf
@@ -116,5 +116,11 @@ group "external_services" {
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf"
}
+group "content" {
+ .include "$CONFDIR/scores.d/content_group.conf"
+ .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf"
+ .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf"
+}
+
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf"
diff --git a/conf/scores.d/phishing_group.conf b/conf/scores.d/content_group.conf
similarity index 58%
copy from conf/scores.d/phishing_group.conf
copy to conf/scores.d/content_group.conf
index c1e9255e4..b53ec31d0 100644
--- a/conf/scores.d/phishing_group.conf
+++ b/conf/scores.d/content_group.conf
@@ -1,4 +1,4 @@
-# Phishing rules scores
+# Content matching rules
#
# Please don't modify this file as your changes might be overwritten with
# the next update.
@@ -15,26 +15,23 @@
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
-description = "Phishing in emails";
-
-max_score = 10.0;
+description = "Content rules";
symbols = {
- "PHISHING" {
- weight = 4.0;
- description = "Phished URL";
+ "PDF_ENCRYPTED" {
+ weight = 0.3;
+ description = "There is an encrypted PDF in the message";
one_shot = true;
}
- "PHISHED_OPENPHISH" {
- weight = 7.0;
- description = "Phished URL found in openphish.com";
- }
- "PHISHED_PHISHTANK" {
- weight = 7.0;
- description = "Phished URL found in phishtank.com";
+ "PDF_JAVASCRIPT" {
+ weight = 0.1;
+ description = "There is an PDF with JavaScript in the message";
+ one_shot = true;
}
- HACKED_WP_PHISHING {
+ "PDF_SUSPICIOUS" {
weight = 4.5;
- description = "Phishing message from hacked wordpress";
+ description = "There is an PDF with suspicious properties in the message";
+ one_shot = true;
}
-}
\ No newline at end of file
+}
+
diff --git a/rules/content.lua b/rules/content.lua
new file mode 100644
index 000000000..718fd22c1
--- /dev/null
+++ b/rules/content.lua
@@ -0,0 +1,88 @@
+--[[
+Copyright (c) 2019, Vsevolod Stakhov <vsevolod at highsecure.ru>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+]]--
+
+local function process_pdf_specific(task, part, specific)
+ local suspicious_factor = 0
+ if specific.encrypted then
+ task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename())
+ suspicious_factor = suspicious_factor + 0.1
+ if specific.openaction then
+ suspicious_factor = suspicious_factor + 0.5
+ end
+ end
+
+ if specific.javascript then
+ task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename())
+ suspicious_factor = suspicious_factor + 0.1
+ if specific.openaction then
+ suspicious_factor = suspicious_factor + 0.5
+ end
+ end
+
+ if specific.suspicious then
+ suspicious_factor = suspicious_factor + 0.7
+ end
+
+ if suspicious_factor > 0.5 then
+ if suspicious_factor > 1.0 then suspicious_factor = 1.0 end
+ task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename())
+ end
+end
+
+local tags_processors = {
+ pdf = process_pdf_specific
+}
+
+local function process_specific_cb(task)
+ local parts = task:get_parts() or {}
+
+ for _,p in ipairs(parts) do
+ if p:is_specific() then
+ local data = p:get_specific()
+
+ if data and type(data) == 'table' and data.tag then
+ if tags_processors[data.tag] then
+ tags_processors[data.tag](task, p, data)
+ end
+ end
+ end
+ end
+end
+
+local id = rspamd_config:register_symbol{
+ type = 'callback',
+ name = 'SPECIFIC_CONTENT_CHECK',
+ callback = process_specific_cb
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'PDF_ENCRYPTED',
+ parent = id,
+ groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'PDF_JAVASCRIPT',
+ parent = id,
+ groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'PDF_SUSPICIOUS',
+ parent = id,
+ groups = {"content", "pdf"},
+}
diff --git a/rules/rspamd.lua b/rules/rspamd.lua
index e82eee4fa..8ce90b0d0 100644
--- a/rules/rspamd.lua
+++ b/rules/rspamd.lua
@@ -37,6 +37,7 @@ dofile(local_rules .. '/http_headers.lua')
dofile(local_rules .. '/forwarding.lua')
dofile(local_rules .. '/mid.lua')
dofile(local_rules .. '/bitcoin.lua')
+dofile(local_rules .. '/content.lua')
if rspamd_util.file_exists(local_conf .. '/rspamd.local.lua') then
dofile(local_conf .. '/rspamd.local.lua')
More information about the Commits
mailing list