commit 17d100a: [Rules] Add PDF related rules

Vsevolod Stakhov vsevolod at highsecure.ru
Wed Nov 27 14:56:06 UTC 2019


Author: Vsevolod Stakhov
Date: 2019-11-27 14:53:27 +0000
URL: https://github.com/rspamd/rspamd/commit/17d100afebda176346bb7f929507a9eab49b6678 (HEAD -> master)

[Rules] Add PDF related rules

---
 conf/groups.conf                                   |  6 ++
 .../{phishing_group.conf => content_group.conf}    | 31 ++++----
 rules/content.lua                                  | 88 ++++++++++++++++++++++
 rules/rspamd.lua                                   |  1 +
 4 files changed, 109 insertions(+), 17 deletions(-)

diff --git a/conf/groups.conf b/conf/groups.conf
index bf783cc2f..dcea1bcd0 100644
--- a/conf/groups.conf
+++ b/conf/groups.conf
@@ -116,5 +116,11 @@ group "external_services" {
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf"
 }
 
+group "content" {
+    .include "$CONFDIR/scores.d/content_group.conf"
+    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf"
+    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf"
+}
+
 .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf"
 .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf"
diff --git a/conf/scores.d/phishing_group.conf b/conf/scores.d/content_group.conf
similarity index 58%
copy from conf/scores.d/phishing_group.conf
copy to conf/scores.d/content_group.conf
index c1e9255e4..b53ec31d0 100644
--- a/conf/scores.d/phishing_group.conf
+++ b/conf/scores.d/content_group.conf
@@ -1,4 +1,4 @@
-# Phishing rules scores
+# Content matching rules
 #
 # Please don't modify this file as your changes might be overwritten with
 # the next update.
@@ -15,26 +15,23 @@
 #
 # See https://rspamd.com/doc/tutorials/writing_rules.html for details
 
-description = "Phishing in emails";
-
-max_score = 10.0;
+description = "Content rules";
 
 symbols = {
-    "PHISHING" {
-        weight = 4.0;
-        description = "Phished URL";
+    "PDF_ENCRYPTED" {
+        weight = 0.3;
+        description = "There is an encrypted PDF in the message";
         one_shot = true;
     }
-    "PHISHED_OPENPHISH" {
-        weight = 7.0;
-        description = "Phished URL found in openphish.com";
-    }
-    "PHISHED_PHISHTANK" {
-        weight = 7.0;
-        description = "Phished URL found in phishtank.com";
+    "PDF_JAVASCRIPT" {
+        weight = 0.1;
+        description = "There is an PDF with JavaScript in the message";
+        one_shot = true;
     }
-    HACKED_WP_PHISHING {
+    "PDF_SUSPICIOUS" {
         weight = 4.5;
-        description = "Phishing message from hacked wordpress";
+        description = "There is an PDF with suspicious properties in the message";
+        one_shot = true;
     }
-}
\ No newline at end of file
+}
+
diff --git a/rules/content.lua b/rules/content.lua
new file mode 100644
index 000000000..718fd22c1
--- /dev/null
+++ b/rules/content.lua
@@ -0,0 +1,88 @@
+--[[
+Copyright (c) 2019, Vsevolod Stakhov <vsevolod at highsecure.ru>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+]]--
+
+local function process_pdf_specific(task, part, specific)
+  local suspicious_factor = 0
+  if specific.encrypted then
+    task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename())
+    suspicious_factor = suspicious_factor + 0.1
+    if specific.openaction then
+      suspicious_factor = suspicious_factor + 0.5
+    end
+  end
+
+  if specific.javascript then
+    task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename())
+    suspicious_factor = suspicious_factor + 0.1
+    if specific.openaction then
+      suspicious_factor = suspicious_factor + 0.5
+    end
+  end
+
+  if specific.suspicious then
+    suspicious_factor = suspicious_factor + 0.7
+  end
+
+  if suspicious_factor > 0.5 then
+    if suspicious_factor > 1.0 then suspicious_factor = 1.0 end
+    task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename())
+  end
+end
+
+local tags_processors = {
+  pdf = process_pdf_specific
+}
+
+local function process_specific_cb(task)
+  local parts = task:get_parts() or {}
+
+  for _,p in ipairs(parts) do
+    if p:is_specific() then
+      local data = p:get_specific()
+
+      if data and type(data) == 'table' and data.tag then
+        if tags_processors[data.tag] then
+          tags_processors[data.tag](task, p, data)
+        end
+      end
+    end
+  end
+end
+
+local id = rspamd_config:register_symbol{
+  type = 'callback',
+  name = 'SPECIFIC_CONTENT_CHECK',
+  callback = process_specific_cb
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_ENCRYPTED',
+  parent = id,
+  groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_JAVASCRIPT',
+  parent = id,
+  groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_SUSPICIOUS',
+  parent = id,
+  groups = {"content", "pdf"},
+}
diff --git a/rules/rspamd.lua b/rules/rspamd.lua
index e82eee4fa..8ce90b0d0 100644
--- a/rules/rspamd.lua
+++ b/rules/rspamd.lua
@@ -37,6 +37,7 @@ dofile(local_rules .. '/http_headers.lua')
 dofile(local_rules .. '/forwarding.lua')
 dofile(local_rules .. '/mid.lua')
 dofile(local_rules .. '/bitcoin.lua')
+dofile(local_rules .. '/content.lua')
 
 if rspamd_util.file_exists(local_conf .. '/rspamd.local.lua') then
   dofile(local_conf .. '/rspamd.local.lua')


More information about the Commits mailing list