commit d353d54: [Minor] Penalize EXE files in RAR archives

[moisseev]

Author: moisseev
Date: 2020-05-28 13:26:07 +0300
URL: https://github.com/rspamd/rspamd/commit/d353d54ae593a2a7e047c0d2d3a3ce476c8ec528 (refs/pull/3383/head)

[Minor] Penalize EXE files in RAR archives
that have generic split file extensions (e.g. .001)

---
 conf/scores.d/mime_types_group.conf |  5 +++++
 src/plugins/lua/mime_types.lua      | 21 +++++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/conf/scores.d/mime_types_group.conf b/conf/scores.d/mime_types_group.conf
index 3a13cde79..b9e373600 100644
--- a/conf/scores.d/mime_types_group.conf
+++ b/conf/scores.d/mime_types_group.conf
@@ -43,6 +43,11 @@ symbols = {
         description = "Encrypted archive in a message";
         one_shot = true;
     }
+    "MIME_EXE_IN_GEN_SPLIT_RAR" {
+        weight = 5.0;
+        description = "EXE file in RAR archive with generic split extension (e.g. .001)";
+        one_shot = true;
+    }
     "MIME_ARCHIVE_IN_ARCHIVE" {
         weight = 5.0;
         description = "Archive within another archive";
diff --git a/src/plugins/lua/mime_types.lua b/src/plugins/lua/mime_types.lua
index 564241cc1..29470e4ea 100644
--- a/src/plugins/lua/mime_types.lua
+++ b/src/plugins/lua/mime_types.lua
@@ -35,6 +35,7 @@ local settings = {
   symbol_good = 'MIME_GOOD',
   symbol_attachment = 'MIME_BAD_ATTACHMENT',
   symbol_encrypted_archive = 'MIME_ENCRYPTED_ARCHIVE',
+  symbol_exe_in_gen_split_rar = 'MIME_EXE_IN_GEN_SPLIT_RAR',
   symbol_archive_in_archive = 'MIME_ARCHIVE_IN_ARCHIVE',
   symbol_double_extension = 'MIME_DOUBLE_BAD_EXTENSION',
   symbol_bad_extension = 'MIME_BAD_EXTENSION',
@@ -434,6 +435,12 @@ local function check_mime_type(task)
           end
 
           if check then
+            local is_gen_split_rar = false
+            if filename then
+              local ext = gen_extension(filename)
+              is_gen_split_rar = string.match(ext, '^%d%d%d$') and arch:get_type() == 'rar'
+            end
+
             local fl = arch:get_files_full(1000)
 
             local nfiles = #fl
@@ -447,8 +454,12 @@ local function check_mime_type(task)
               end
 
               if f['name'] then
-                check_filename(f['name'], nil,
-                    true, p, nil, nfiles)
+                if is_gen_split_rar and gen_extension(f['name']) == 'exe' then
+                  task:insert_result(settings['symbol_exe_in_gen_split_rar'], 1.0, f['name'])
+                else
+                  check_filename(f['name'], nil,
+                      true, p, nil, nfiles)
+                end
               end
             end
 
@@ -609,6 +620,12 @@ if opts then
       parent = id,
       group = 'mime_types',
     })
+    rspamd_config:register_symbol({
+      type = 'virtual',
+      name = settings['symbol_exe_in_gen_split_rar'],
+      parent = id,
+      group = 'mime_types',
+    })
     rspamd_config:register_symbol({
       type = 'virtual',
       name = settings['symbol_archive_in_archive'],