[Enhancement] Add IPFS URL heuristic

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index a5e5cfc443b30c41fe0e7885d4a7bd50e21bbf7a..c7876567f14f033938fb2404e8a6f5c96552b66f 100644 (file)
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -99,4 +99,19 @@ reconf['LEAKED_PASSWORD_SCAM_RE'] = {
   group = 'scams'
 }
 
-rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
\ No newline at end of file
+rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
+
+-- Heurististic for detecting InterPlanetary File System (IPFS) gateway URLs:
+-- These contain "ipfs" somewhere (either in the FQDN or the URL path) and a
+-- content identifier (CID), comprising of either "qm", followed by 46 alphanumerical
+-- characters (CIDv0), or a CIDv1 of an alphanumerical string of unspecified length,
+-- depending on the hash algorithm used.
+local ipfs_cid = '/(qm[a-z0-9]{44}|[a-z0-9]{45,256})/{url}i'
+local ipfs_string = '/ipfs(\\.|-|_|\\/|\\?)/{url}i'
+reconf['HAS_IPFS_URL'] = {
+  description = 'Message contains InterPlanetary File System (IPFS) URL, likely malicious',
+  re = string.format('(%s & %s)', ipfs_cid, ipfs_string),
+  score = 6.0,
+  one_shot = true,
+  group = 'url',
+}