From: Vsevolod Stakhov Date: Mon, 21 Feb 2011 13:38:14 +0000 (+0300) Subject: New rules. X-Git-Tag: 0.3.7~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2c20743269451ee481b595ca1bf5aacfad906cc;p=thirdparty%2Frspamd.git New rules. Submitted by: Victor Ustugov --- diff --git a/conf/lua/regexp/headers.lua b/conf/lua/regexp/headers.lua index e68067d5b5..69b239d859 100644 --- a/conf/lua/regexp/headers.lua +++ b/conf/lua/regexp/headers.lua @@ -203,6 +203,46 @@ reconf['FORGED_MUA_THEBAT_MSGID'] = string.format('(%s) & !(%s) & (%s) & !(%s)', reconf['FORGED_MUA_THEBAT_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', thebat_mua_any, thebat_msgid, thebat_msgid_common, unusable_msgid) +-- Detect forged KMail headers +-- KMail User-Agent header +local kmail_mua = 'User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H' +-- KMail common Message-ID template +local kmail_msgid_common = 'Message-Id=/^\\s*\\d+\\.\\d+\\.\\S+\\@\\S+$/mH' +-- local kmail_msgid = function (task) +-- rspamd_logger.info("test kmail_msgid") +-- local msg = task:get_message() +-- local regexp_text = '<(\\S+)>\\|<(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)\\.\\d+\\.\\1>$' +-- local re = regexp.get_cached(regexp_text) +-- if not re then re = regexp.create(regexp_text, '') end +-- local header_msgid = msg:get_header('Message-Id') +-- for _,header_from in ipairs(msg:get_header('From')) do +-- if re:match(header_from.."|"..header_msgid) then +-- return true +-- end +-- end +-- return false +-- end +local kmail_msgid = 'Message-Id=/^(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)\\.\\d+\\.\\S+\\@\\S+$/mH' +-- Summary rule for forged KMail Message-ID header +reconf['FORGED_MUA_KMAIL_MSGID'] = string.format('(%s) & (%s) & !(%s) & !(%s)', kmail_mua, kmail_msgid_common, kmail_msgid, unusable_msgid) +-- Summary rule for forged KMail Message-ID header with unknown template +reconf['FORGED_MUA_KMAIL_MSGID_UNKNOWN'] = string.format('(%s) & !(%s) & !(%s)', kmail_mua, kmail_msgid_common, unusable_msgid) + +-- Detect forged Opera Mail headers +-- Opera Mail User-Agent header +local opera1x_mua = 'User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H' +-- Opera Mail Message-ID template +local opera1x_msgid = 'Message-ID=/^op\\.[a-z\\d]{14}\\@\\S+$/mHS' +-- Suspicious Opera Mail User-Agent header +local suspicious_opera10w_mua = 'User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H' +-- Suspicious Opera Mail Message-ID, apparently from KMail +local suspicious_opera10w_msgid = 'Message-Id=/^2009\\d{8}\\.\\d+\\.\\S+\\@\\S+$/mHS' +-- Summary rule for forged Opera Mail User-Agent header and Message-ID header from KMail +reconf['SUSPICIOUS_OPERA_10W_MSGID'] = string.format('(%s) & (%s)', suspicious_opera10w_mua, suspicious_opera10w_msgid) +-- Summary rule for forged Opera Mail Message-ID header +reconf['FORGED_MUA_OPERA_MSGID'] = string.format('(%s) & !(%s) & !(%s) & !(%s)', opera1x_mua, opera1x_msgid, reconf['SUSPICIOUS_OPERA_10W_MSGID'], unusable_msgid) + + -- Detect forged Mozilla Mail/Thunderbird/Seamonkey headers -- Mozilla based X-Mailer local user_agent_mozilla5 = 'User-Agent=/^\\s*Mozilla\\/5\\.0/' diff --git a/rspamd.xml.sample b/rspamd.xml.sample index 8464a080ab..610e60b8c2 100644 --- a/rspamd.xml.sample +++ b/rspamd.xml.sample @@ -84,6 +84,16 @@ FORGED_MUA_THEBAT_MSGID_UNKNOWN + + FORGED_MUA_KMIL_MSGID + + FORGED_MUA_KMAIL_MSGID_UNKNOWN + + + FORGED_MUA_OPERA_MSGID + + SUSPICIOUS_OPERA_10W_MSGID + FORGED_MUA_MOZILLA_MAIL_MSGID @@ -233,8 +243,8 @@ -FORGED_RECIPIENTS & ~MAILLIST -FORGED_MUA_OUTLOOK & ~MAILLIST +FORGED_RECIPIENTS & -MAILLIST +FORGED_MUA_OUTLOOK & -MAILLIST