${MESSAGE2} ${RSPAMD_TESTDIR}/messages/sa_header_body_raw.eml
${FULLMSG} ${RSPAMD_TESTDIR}/messages/sa_full_boundary.eml
${URL1} ${RSPAMD_TESTDIR}/messages/url1.eml
+${SPOOFMSG} ${RSPAMD_TESTDIR}/messages/sa_display_name_spoof.eml
${RSPAMD_SCOPE} Suite
${RSPAMD_URL_TLD} ${RSPAMD_TESTDIR}/../lua/unit/test_tld.dat
[Documentation] Complex meta combining negation and rawbody
Scan File ${MESSAGE2}
Expect Symbol SA_META_COMPLEX
+
+SA-Like: Display Name Match
+ [Documentation] Selector =~ on from:name matches Bank of America display name
+ Scan File ${SPOOFMSG}
+ Expect Symbol SA_SEL_BOFA_DISPLAY
+
+SA-Like: Display Name Match Miss
+ [Documentation] SA_SEL_BOFA_DISPLAY must not fire when display name differs
+ Scan File ${MESSAGE2}
+ Do Not Expect Symbol SA_SEL_BOFA_DISPLAY
+
+SA-Like: Domain Negation Match
+ [Documentation] Selector !~ on from:domain fires when domain is not the legit one
+ Scan File ${SPOOFMSG}
+ Expect Symbol SA_SEL_BOFA_NOT_DOMAIN
+
+SA-Like: BOFA Spoof Meta
+ [Documentation] Meta of display-match AND domain-mismatch fires on spoofed message
+ Scan File ${SPOOFMSG}
+ Expect Symbol With Score SA_META_BOFA_SPOOF 6.0
+
+SA-Like: BOFA Spoof Meta Miss
+ [Documentation] BOFA meta does not fire on a non-spoofed message
+ Scan File ${MESSAGE2}
+ Do Not Expect Symbol SA_META_BOFA_SPOOF
# Selector negation (use domain to avoid addr formatting quirks)
selector SA_SEL_NOT_CORP from:domain !~ /^corp\.example$/i
+# Brand-impersonation pattern: display name matches but domain does not.
+selector SA_SEL_BOFA_DISPLAY from:name =~ /bank\s+of\s+america/i
+selector SA_SEL_BOFA_NOT_DOMAIN from:domain !~ /bankofamerica\.com$/i
+
# Meta rules combining atoms and selectors
meta SA_META_AND SA_HDR_SUBJ & SA_BODY_SIMPLE & SA_SEL_FROM_DOM
meta SA_META_OR SA_URI_SHORT | SA_SEL_URL_TLD
meta SA_META_COMPLEX (SA_BODY_SIMPLE & SA_SEL_NOT_CORP) | SA_RAW_SIMPLE
+meta SA_META_BOFA_SPOOF SA_SEL_BOFA_DISPLAY & SA_SEL_BOFA_NOT_DOMAIN
# Scores
score SA_HDR_SUBJ 1.0
score SA_SEL_FROM_DOM 1.0
score SA_SEL_URL_TLD 1.0
score SA_SEL_NOT_CORP 0.5
+score SA_SEL_BOFA_DISPLAY 1.0
+score SA_SEL_BOFA_NOT_DOMAIN 0.5
score SA_META_AND 2.5
score SA_META_OR 2.0
score SA_META_COMPLEX 2.0
+score SA_META_BOFA_SPOOF 6.0
# Descriptions
describe SA_HDR_SUBJ Subject matches test subject
describe SA_SEL_FROM_DOM From domain equals example.com
describe SA_SEL_URL_TLD URL tld equals example.com
describe SA_SEL_NOT_CORP From address is not corp.example
+describe SA_SEL_BOFA_DISPLAY From display name matches Bank of America
+describe SA_SEL_BOFA_NOT_DOMAIN From domain is not bankofamerica.com
describe SA_META_AND Header+Body+Selector combo
describe SA_META_OR URI or URL TLD selector
describe SA_META_COMPLEX Complex combination with negation
+describe SA_META_BOFA_SPOOF Bank of America display name with mismatched domain
--- /dev/null
+From: "Bank of America Alerts" <alerts@evil-spoof.example.org>
+To: test@example.com
+Subject: Important account notice
+Date: Fri, 01 Jan 2021 00:00:00 +0000
+Message-ID: <sa-spoof-1@example.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 7bit
+
+This message has a Bank of America display name but the From domain
+does not belong to Bank of America. Used to validate the SA-style
+selector =~ / !~ atoms and meta combination.
projects / thirdparty / rspamd.git / commitdiff
