commit 2fa0319: [Minor] Add rules that observes limits in pdf files
Vsevolod Stakhov
vsevolod at highsecure.ru
Fri May 22 13:07:08 UTC 2020
Author: Vsevolod Stakhov
Date: 2020-05-22 13:02:32 +0100
URL: https://github.com/rspamd/rspamd/commit/2fa03199e4bcf3d323d5c94ec7a16bb2890e0354
[Minor] Add rules that observes limits in pdf files
---
conf/scores.d/content_group.conf | 40 +++++++++++++++++++++++++---------------
rules/content.lua | 27 ++++++++++++++++++++++++---
2 files changed, 49 insertions(+), 18 deletions(-)
diff --git a/conf/scores.d/content_group.conf b/conf/scores.d/content_group.conf
index b53ec31d0..6a011b938 100644
--- a/conf/scores.d/content_group.conf
+++ b/conf/scores.d/content_group.conf
@@ -18,20 +18,30 @@
description = "Content rules";
symbols = {
- "PDF_ENCRYPTED" {
- weight = 0.3;
- description = "There is an encrypted PDF in the message";
- one_shot = true;
- }
- "PDF_JAVASCRIPT" {
- weight = 0.1;
- description = "There is an PDF with JavaScript in the message";
- one_shot = true;
- }
- "PDF_SUSPICIOUS" {
- weight = 4.5;
- description = "There is an PDF with suspicious properties in the message";
- one_shot = true;
- }
+ "PDF_ENCRYPTED" {
+ weight = 0.3;
+ description = "There is an encrypted PDF in the message";
+ one_shot = true;
+ }
+ "PDF_JAVASCRIPT" {
+ weight = 0.1;
+ description = "There is an PDF with JavaScript in the message";
+ one_shot = true;
+ }
+ "PDF_SUSPICIOUS" {
+ weight = 4.5;
+ description = "There is an PDF with suspicious properties in the message";
+ one_shot = true;
+ }
+ "PDF_LONG_TRAILER" {
+ weight = 0.2;
+ description = "There is an PDF with a long trailer";
+ one_shot = true;
+ }
+ "PDF_MANY_OBJECTS" {
+ weight = 0;
+ description = "There is a PDF file with too many objects";
+ one_shot = true;
+ }
}
diff --git a/rules/content.lua b/rules/content.lua
index 1f591c2d7..5bdc46c25 100644
--- a/rules/content.lua
+++ b/rules/content.lua
@@ -17,7 +17,7 @@ limitations under the License.
local function process_pdf_specific(task, part, specific)
local suspicious_factor = 0
if specific.encrypted then
- task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename())
+ task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename() or 'unknown')
suspicious_factor = suspicious_factor + 0.1
if specific.openaction then
suspicious_factor = suspicious_factor + 0.5
@@ -25,7 +25,7 @@ local function process_pdf_specific(task, part, specific)
end
if specific.scripts then
- task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename())
+ task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename() or 'unknown')
suspicious_factor = suspicious_factor + 0.1
end
@@ -35,7 +35,16 @@ local function process_pdf_specific(task, part, specific)
if suspicious_factor > 0.5 then
if suspicious_factor > 1.0 then suspicious_factor = 1.0 end
- task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename())
+ task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename() or 'unknown')
+ end
+
+ if specific.long_trailer then
+ task:insert_result('PDF_LONG_TRAILER', 1.0, string.format('%s:%d',
+ part:get_filename() or 'unknown', specific.long_trailer))
+ end
+ if specific.many_objects then
+ task:insert_result('PDF_MANY_OBJECTS', 1.0, string.format('%s:%d',
+ part:get_filename() or 'unknown', specific.many_objects))
end
end
@@ -83,3 +92,15 @@ rspamd_config:register_symbol{
parent = id,
groups = {"content", "pdf"},
}
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'PDF_LONG_TRAILER',
+ parent = id,
+ groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'PDF_MANY_OBJECTS',
+ parent = id,
+ groups = {"content", "pdf"},
+}
More information about the Commits
mailing list