[Rspamd-Users] Questions regarding how to increase rspamd's coverage on abused legitimate services/"living off trusted services" (LOTS)

[jose.celestino at gmail.com]

On Sat, Mar 23, 2024 at 12:08 PM Tobias Westerhever via Users
<users at lists.rspamd.com> wrote:
>
> Hello fellow rspamd users,
>
...
>
> - As attachment policies are increasingly tightened, PDF abuse has increased. Sometimes,
>   PDFs disseminated in spam campaigns include a blurred image of the lure, overlayed
>   by an IPFS gateway link. Sometimes, they directly contain JavaScript exploits, and
>   so on.
>
>   I wonder if rspamd could extract URLs from PDF attachments, and check these against
>   local rules, such as regexp patterns looking for IPFS gateway URLs. Checking all
>   these links against DNSBLs, however, is probably way out of questions, given that there
>   can be hundredths in a single PDF file.

Hi,

The big issue that I'm seeing with PDFs are those encrypted with an
empty password, that rspamd skips altogether but that are opened
seemingly by the clients. You can increase the PDF_ENCRYPTED score but
there are legitimate cases for the use.

That being said spamd can extract the URLs from PDFs and you can match
them against a list (regex) with the multimap module. If I'm not
mistaken the type = "url" doesn't return the flag = content urls so
you should use a selector like:

selector = "specific_urls({need_images = true, need_content = true,
ignore_redirected = false, limit = 50})"