commit 59b8463: [Minor] Try to find some obfuscation attemtps
Vsevolod Stakhov
vsevolod at highsecure.ru
Fri Mar 5 17:21:08 UTC 2021
Author: Vsevolod Stakhov
Date: 2021-03-05 17:13:45 +0000
URL: https://github.com/rspamd/rspamd/commit/59b8463ff07efba952baa3bd3ccb663e1f477c36 (HEAD -> master)
[Minor] Try to find some obfuscation attemtps
Issue: #3637
---
src/libserver/html.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/libserver/html.c b/src/libserver/html.c
index 401c55f31..974b59129 100644
--- a/src/libserver/html.c
+++ b/src/libserver/html.c
@@ -719,6 +719,7 @@ rspamd_html_url_is_phished (rspamd_mempool_t *pool,
p++;
}
}
+
text_url = rspamd_mempool_alloc0 (pool, sizeof (struct rspamd_url));
rc = rspamd_url_parse (text_url, url_str, strlen (url_str), pool,
RSPAMD_URL_PARSE_TEXT);
@@ -827,9 +828,28 @@ rspamd_html_url_is_phished (rspamd_mempool_t *pool,
*url_found = TRUE;
}
else {
- msg_info_pool ("extract of url '%s' failed: %s",
+ /*
+ * We have found something that looks like an url but it was
+ * not parsed correctly.
+ * Sometimes it means an obfuscation attempt, so we have to check
+ * what's inside of the text
+ */
+ gboolean obfuscation_found = FALSE;
+
+ if (g_ascii_strncasecmp (url_str, "http", 4) == 0 &&
+ strstr (url_str, "://") != NULL) {
+ /* Clearly an obfuscation attempt */
+ obfuscation_found = TRUE;
+ }
+
+ msg_info_pool ("extract of url '%s' failed: %s; obfuscation detected: %s",
url_str,
- rspamd_url_strerror (rc));
+ rspamd_url_strerror (rc),
+ obfuscation_found ? "yes" : "no");
+
+ if (obfuscation_found) {
+ href_url->flags |= RSPAMD_URL_FLAG_PHISHED|RSPAMD_URL_FLAG_OBSCURED;
+ }
}
}
More information about the Commits
mailing list