Rspamd_rule_compromised_hosts.lua自己的理解

        以下是我对Rspamd系统中的规则compromised.lua一些理解。

HAS_PHPMAILER_SIG：description = "PHPMailer signature”,用于检测PHPMailer。 re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\”b[123]_/Hi",正则表达式：用于匹配消息的头部信息X-Mailer或Content-Type，则正则表达式格式应该为：Header-Name=/regexp/flags。 group = “compromised_hosts"PHP_SCRIPT_ROOT：description = "PHP Script executed by root UID”,用于检测被Root UID执行的PHP Script。re = “X-PHP-Originating-Script=/^0:/Hi",正则表达式：用于匹配消息的头部信息X-PHP-Originating-Script，则正则表达式格式应该为：Header-Name=/regexp/flags。score = 1.0, group = “compromised_hosts"HAS_X_POS：description = "Has X-PHP-Originating-Script header",re = "header_exists('X-PHP-Originating-Script')",正则表达式：使用Rspamd的内部函数header_exists，来判读头部X-PHP-Originating-Script是否存在，如果存在的话就Add symbol。group = “compromised_hosts"HAS_X_PHP_SCRIPT：description = "Has X-PHP-Script header", re = “header_exists('X-PHP-Script')",正则表达式：使用Rspamd的内部函数header_exists，来判读头部X-PHP-Script是否存在，如果存在的话就Add symbol。group = “compromised_hosts"HAS_X_SOURCE：description = "Has X-Source headers",re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists(‘X-Source-Dir')",正则表达式：使用Rspamd的内部函数header_exists，来判读头部X-Source或X-Source-Args'或X-Source-Dir头部是否存在，如果存在的话就Add symbol。三种头部的实例：-- X-Source:-- X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/run/proxyexec/cagefs.sock/socket /bin/cagefs.server-- X-Source-Dir: silvianimberg.com:/public_html/wp-content/themes/ultimatumgroup = “compromised_hosts"HAS_X_AS ：description = 'Has X-Authenticated-Sender header’,实例：X-Authenticated-Sender: accord.host-care.com: sales@cortaflex.si得到X-Authenticated-Sender头部信息，然后通过find函数捕获auth = sales@cortaflex.si，并且return true，auth。group = “compromised_hosts"HAS_X_GMSV：description = 'Has X-Get-Message-Sender-Via: header’,实例：X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si得到X-Get-Message-Sender-Via头部信息，然后通过find函数捕获auth = sales@cortaflex.si，并且return true，auth。group = “compromised_hosts"HAS_X_ANTIABUSE：description = "Has X-AntiAbuse headers",re = "header_exists('X-AntiAbuse')",group = “compromised_hosts"X-AntiAbuse对应原始址的实例：-- X-AntiAbuse: This header was added to track abuse, please include it with any abuse report-- X-AntiAbuse: Primary Hostname - accord.host-care.com-- X-AntiAbuse: Original Domain - swaney.com-- X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]-- X-AntiAbuse: Sender Address Domain - dropbox.comX_PHP_EVAL：用eval’d PHP发送消息，根据头部是否含有X-PHP-Script或X-PHP-Originating-Script判断。HAS_WP_URI：通过正则表达式判断RUL是否包含WordPress URI。WP_COMPROMISED：通过正则表达式判断URL中是否指向WordPress installation。PHP_XPS_PATTERN：通过正则表达式判断消息是否包含X-PHP-Script 匹配模式。HAS_XAW：使用Rspamd的内部函数header_exists，来判读头部X-Authentication-Warning是否存在，如果存在的话就Add symbol。XAW_SERVICE_ACCT：判断消息起源由某个服务发送过来的，这些服务包括：www-data、anonymous、ftp、apache、nobody、guest、nginx、web、www。score = 1.0,ENVFROM_SERVICE_ACCT：判断消息来自于某个服务发送过来的，这些服务包括：www-data、anonymous、ftp、apache、nobody、guest、nginx、web、www。score = 1.0,HIDDEN_SOURCE_OBJ：判断UNIX hidden file/directory in path。score = 2.0。URI_HIDDEN_PATH：通过正则表达式判断URL包含一个UNIX隐藏文件夹目录。score = 1.0,MID_RHS_WWW：通过正则表达式判断Message-ID表头的值为www,进而断定消息来自www主机。score = 0.5,FROM_SERVICE_ACCT：判断邮件的Sender、From、Reply-To头部信息是一个服务账号，服务包括：www-data、anonymous、ftp、apache、nobody、guest、nginx、web、www。score = 1.0,WWW_DOT_DOMAIN：判断From、Sender、Reply-To or Envelope is @www.domain.com。score = 0.5