File Coverage

blib/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm

Criterion	Covered	Total	%
statement	108	289	37.3
branch	26	148	17.5
condition	2	24	8.3
subroutine	19	30	63.3
pod	1	18	5.5
total	156	509	30.6

line	stmt	bran	cond	sub	pod	time	code
1							# <@LICENSE>
2							# Licensed to the Apache Software Foundation (ASF) under one or more
3							# contributor license agreements. See the NOTICE file distributed with
4							# this work for additional information regarding copyright ownership.
5							# The ASF licenses this file to you under the Apache License, Version 2.0
6							# (the "License"); you may not use this file except in compliance with
7							# the License. You may obtain a copy of the License at:
8							#
9							# http://www.apache.org/licenses/LICENSE-2.0
10							#
11							# Unless required by applicable law or agreed to in writing, software
12							# distributed under the License is distributed on an "AS IS" BASIS,
13							# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14							# See the License for the specific language governing permissions and
15							# limitations under the License.
16							# </@LICENSE>
17
18							package Mail::SpamAssassin::Plugin::WLBLEval;
19
20	21			21		163	use strict;
	21					55
	21					716
21	21			21		127	use warnings;
	21					58
	21					738
22							# use bytes;
23	21			21		143	use re 'taint';
	21					6787
	21					951
24
25	21			21		153	use NetAddr::IP 4.000;
	21					888
	21					359
26
27	21			21		5399	use Mail::SpamAssassin::Plugin;
	21					7019
	21					7397
28	21			21		159	use Mail::SpamAssassin::Logger;
	21					58
	21					79347
29
30							our @ISA = qw(Mail::SpamAssassin::Plugin);
31
32							# constructor: register the eval rule
33							sub new {
34	62			62	1	286	my $class = shift;
35	62					165	my $mailsaobject = shift;
36
37							# some boilerplate...
38	62		33			643	$class = ref($class) \|\| $class;
39	62					363	my $self = $class->SUPER::new($mailsaobject);
40	62					193	bless ($self, $class);
41
42							# the important bit!
43	62					331	$self->register_eval_rule("check_from_in_blacklist");
44	62					261	$self->register_eval_rule("check_to_in_blacklist");
45	62					233	$self->register_eval_rule("check_to_in_whitelist");
46	62					219	$self->register_eval_rule("check_to_in_more_spam");
47	62					208	$self->register_eval_rule("check_to_in_all_spam");
48	62					6019	$self->register_eval_rule("check_from_in_list");
49	62					228	$self->register_eval_rule("check_replyto_in_list");
50	62					259	$self->register_eval_rule("check_to_in_list");
51	62					245	$self->register_eval_rule("check_from_in_whitelist");
52	62					221	$self->register_eval_rule("check_forged_in_whitelist");
53	62					218	$self->register_eval_rule("check_from_in_default_whitelist");
54	62					253	$self->register_eval_rule("check_forged_in_default_whitelist");
55	62					211	$self->register_eval_rule("check_mailfrom_matches_rcvd");
56	62					236	$self->register_eval_rule("check_uri_host_listed");
57							# same as: eval:check_uri_host_listed('BLACK') :
58	62					211	$self->register_eval_rule("check_uri_host_in_blacklist");
59							# same as: eval:check_uri_host_listed('WHITE') :
60	62					191	$self->register_eval_rule("check_uri_host_in_whitelist");
61
62	62					585	return $self;
63							}
64
65							sub check_from_in_blacklist {
66	81			81	0	240	my ($self, $pms) = @_;
67	81					324	foreach ($pms->all_from_addrs()) {
68	42	50				257	if ($self->_check_whitelist ($self->{main}->{conf}->{blacklist_from}, $_)) {
69	0					0	return 1;
70							}
71							}
72							}
73
74							sub check_to_in_blacklist {
75	81			81	0	280	my ($self, $pms) = @_;
76	81					357	foreach ($pms->all_to_addrs()) {
77	57	50				118	if ($self->_check_whitelist ($self->{main}->{conf}->{blacklist_to}, $_)) {
78	0					0	return 1;
79							}
80							}
81							}
82
83							sub check_to_in_whitelist {
84	81			81	0	207	my ($self, $pms) = @_;
85	81					380	foreach ($pms->all_to_addrs()) {
86	57	50				124	if ($self->_check_whitelist ($self->{main}->{conf}->{whitelist_to}, $_)) {
87	0					0	return 1;
88							}
89							}
90							}
91
92							sub check_to_in_more_spam {
93	0			0	0	0	my ($self, $pms) = @_;
94	0					0	foreach ($pms->all_to_addrs()) {
95	0	0				0	if ($self->_check_whitelist ($self->{main}->{conf}->{more_spam_to}, $_)) {
96	0					0	return 1;
97							}
98							}
99							}
100
101							sub check_to_in_all_spam {
102	0			0	0	0	my ($self, $pms) = @_;
103	0					0	foreach ($pms->all_to_addrs()) {
104	0	0				0	if ($self->_check_whitelist ($self->{main}->{conf}->{all_spam_to}, $_)) {
105	0					0	return 1;
106							}
107							}
108							}
109
110							sub check_from_in_list {
111	14			14	0	50	my ($self, $pms, $list) = @_;
112	14					52	my $list_ref = $self->{main}{conf}{$list};
113	14	50				47	unless (defined $list_ref) {
114	0					0	warn "eval: could not find list $list";
115	0					0	return;
116							}
117
118	14					97	foreach my $addr ($pms->all_from_addrs()) {
119	22	50				101	if ($self->_check_whitelist ($list_ref, $addr)) {
120	0					0	return 1;
121							}
122							}
123
124	14					71	return 0;
125							}
126
127							sub check_replyto_in_list {
128	0			0	0	0	my ($self, $pms, $list) = @_;
129	0					0	my $list_ref = $self->{main}{conf}{$list};
130	0	0				0	unless (defined $list_ref) {
131	0					0	warn "eval: could not find list $list";
132	0					0	return;
133							}
134
135	0					0	my $replyto = $pms->get("Reply-To:addr");
136	0	0				0	return 0 if $replyto eq '';
137
138	0	0				0	if ($self->_check_whitelist ($list_ref, $replyto)) {
139	0					0	return 1;
140							}
141
142	0					0	return 0;
143							}
144
145							# TODO: this should be moved to a utility module off PerMsgStatus,
146							# rather than a plugin API; it's used in Bayes.pm as a utility
147							sub check_wb_list {
148	28			28	0	78	my ($self, $params) = @_;
149
150	28	50				117	return unless (defined $params->{permsgstatus});
151	28	50				100	return unless (defined $params->{type});
152	28	50				72	return unless (defined $params->{list});
153
154	28	100				126	if (lc $params->{type} eq "to") {
		50
155	14					119	return $self->check_to_in_list($params->{permsgstatus}, $params->{list});
156							}
157							elsif (lc $params->{type} eq "from") {
158	14					78	return $self->check_from_in_list($params->{permsgstatus}, $params->{list});
159							}
160
161	0					0	return;
162							}
163
164							sub check_to_in_list {
165	14			14	0	41	my ($self,$pms,$list) = @_;
166	14					56	my $list_ref = $self->{main}{conf}{$list};
167	14	50				58	unless (defined $list_ref) {
168	0					0	warn "eval: could not find list $list";
169	0					0	return;
170							}
171
172	14					108	foreach my $addr ($pms->all_to_addrs()) {
173	24	50				68	if ($self->_check_whitelist ($list_ref, $addr)) {
174	0					0	return 1;
175							}
176							}
177
178	14					71	return 0;
179							}
180
181							###########################################################################
182
183							sub check_from_in_whitelist {
184	81			81	0	251	my ($self, $pms) = @_;
185	81	50				549	$self->_check_from_in_whitelist($pms) unless exists $pms->{from_in_whitelist};
186	81					1634	return ($pms->{from_in_whitelist} > 0);
187							}
188
189							sub check_forged_in_whitelist {
190	0			0	0	0	my ($self, $pms) = @_;
191	0	0				0	$self->_check_from_in_whitelist($pms) unless exists $pms->{from_in_whitelist};
192	0	0				0	$self->_check_from_in_default_whitelist($pms) unless exists $pms->{from_in_default_whitelist};
193	0		0			0	return ($pms->{from_in_whitelist} < 0) && ($pms->{from_in_default_whitelist} == 0);
194							}
195
196							sub check_from_in_default_whitelist {
197	81			81	0	252	my ($self, $pms) = @_;
198	81	50				602	$self->_check_from_in_default_whitelist($pms) unless exists $pms->{from_in_default_whitelist};
199	81					1569	return ($pms->{from_in_default_whitelist} > 0);
200							}
201
202							sub check_forged_in_default_whitelist {
203	0			0	0	0	my ($self, $pms) = @_;
204	0	0				0	$self->_check_from_in_default_whitelist($pms) unless exists $pms->{from_in_default_whitelist};
205	0	0				0	$self->_check_from_in_whitelist($pms) unless exists $pms->{from_in_whitelist};
206	0		0			0	return ($pms->{from_in_default_whitelist} < 0) && ($pms->{from_in_whitelist} == 0);
207							}
208
209							###########################################################################
210
211							sub _check_from_in_whitelist {
212	81			81		237	my ($self, $pms) = @_;
213	81					178	my $found_match = 0;
214	81					309	foreach ($pms->all_from_addrs()) {
215	42	50				261	if ($self->_check_whitelist ($self->{main}->{conf}->{whitelist_from}, $_)) {
216	0					0	$pms->{from_in_whitelist} = 1;
217	0					0	return;
218							}
219	42					309	my $wh = $self->_check_whitelist_rcvd ($pms, $self->{main}->{conf}->{whitelist_from_rcvd}, $_);
220	42	50				281	if ($wh == 1) {
		50
221	0					0	$pms->{from_in_whitelist} = 1;
222	0					0	return;
223							}
224							elsif ($wh == -1) {
225	0					0	$found_match = -1;
226							}
227							}
228
229	81					219	$pms->{from_in_whitelist} = $found_match;
230	81					209	return;
231							}
232
233							###########################################################################
234
235							sub _check_from_in_default_whitelist {
236	81			81		243	my ($self, $pms) = @_;
237	81					167	my $found_match = 0;
238	81					382	foreach ($pms->all_from_addrs()) {
239	42					257	my $wh = $self->_check_whitelist_rcvd ($pms, $self->{main}->{conf}->{def_whitelist_from_rcvd}, $_);
240	42	50				271	if ($wh == 1) {
		50
241	0					0	$pms->{from_in_default_whitelist} = 1;
242	0					0	return;
243							}
244							elsif ($wh == -1) {
245	0					0	$found_match = -1;
246							}
247							}
248
249	81					624	$pms->{from_in_default_whitelist} = $found_match;
250	81					156	return;
251							}
252
253							###########################################################################
254
255							# check if domain name of an envelope sender address matches a domain name
256							# of the first untrusted relay (if any), or any trusted relay otherwise
257							sub check_mailfrom_matches_rcvd {
258	0			0	0	0	my ($self, $pms) = @_;
259	0					0	my $sender = $pms->get("EnvelopeFrom:addr");
260	0	0				0	return 0 if $sender eq '';
261	0					0	return $self->_check_addr_matches_rcvd($pms,$sender);
262							}
263
264							# check if domain name of a supplied e-mail address matches a domain name
265							# of the first untrusted relay (if any), or any trusted relay otherwise
266							sub _check_addr_matches_rcvd {
267	0			0		0	my ($self, $pms, $addr) = @_;
268
269	0					0	local $1;
270	0	0				0	return 0 if $addr !~ / \@ ( [^\@]+ \. [^\@]+ ) \z/x;
271	0					0	my $addr_domain = lc $1;
272
273	0					0	my @relays;
274	0	0				0	if ($pms->{num_relays_untrusted} > 0) {
		0
275							# check against the first untrusted, if present
276	0					0	@relays = $pms->{relays_untrusted}->[0];
277							} elsif ($pms->{num_relays_trusted} > 0) {
278							# otherwise try all trusted ones, but only do so
279							# if there are no untrusted relays to avoid forgery
280	0					0	push(@relays, @{$pms->{relays_trusted}});
	0					0
281							}
282	0	0				0	return 0 if !@relays;
283
284							my($adrh,$adrd) =
285	0					0	$self->{main}->{registryboundaries}->split_domain($addr_domain);
286	0					0	my $match = 0;
287	0					0	my $any_tried = 0;
288	0					0	foreach my $rly (@relays) {
289	0					0	my $relay_rdns = $rly->{lc_rdns};
290	0	0	0			0	next if !defined $relay_rdns \|\| $relay_rdns eq '';
291							my($rlyh,$rlyd) =
292	0					0	$self->{main}->{registryboundaries}->split_domain($relay_rdns);
293	0					0	$any_tried = 1;
294	0	0				0	if ($adrd eq $rlyd) {
295	0					0	dbg("rules: $addr MATCHES relay $relay_rdns ($adrd)");
296	0					0	$match = 1; last;
	0					0
297							}
298							}
299	0	0	0			0	if ($any_tried && !$match) {
300							dbg("rules: %s does NOT match relay(s) %s",
301	0					0	$addr, join(', ', map { $_->{lc_rdns} } @relays));
	0					0
302							}
303	0					0	return $match;
304							}
305
306							###########################################################################
307
308							# look up $addr and trusted relays in a whitelist with rcvd
309							# note if it appears to be a forgery and $addr is not in any-relay list
310							sub _check_whitelist_rcvd {
311	84			84		252	my ($self, $pms, $list, $addr) = @_;
312
313							# we can only match this if we have at least 1 trusted or untrusted header
314	84	100				396	return 0 unless ($pms->{num_relays_untrusted}+$pms->{num_relays_trusted} > 0);
315
316	2					3	my @relays;
317							# try the untrusted one first
318	2	50				7	if ($pms->{num_relays_untrusted} > 0) {
319	2					6	@relays = $pms->{relays_untrusted}->[0];
320							}
321							# then try the trusted ones; the user could have whitelisted a trusted
322							# relay, totally permitted
323							# but do not do this if any untrusted relays, to avoid forgery -- bug 4425
324	2	50	33			8	if ($pms->{num_relays_trusted} > 0 && !$pms->{num_relays_untrusted} ) {
325	0					0	push (@relays, @{$pms->{relays_trusted}});
	0					0
326							}
327
328	2					4	$addr = lc $addr;
329	2					3	my $found_forged = 0;
330	2					3	foreach my $white_addr (keys %{$list}) {
	2					6
331	0					0	my $regexp = qr/$list->{$white_addr}{re}/i;
332	0					0	foreach my $domain (@{$list->{$white_addr}{domain}}) {
	0					0
333							# $domain is a second param in whitelist_from_rcvd: a domain name or an IP address
334
335	0	0				0	if ($addr =~ $regexp) {
336							# From or sender address matching the first param in whitelist_from_rcvd
337	0					0	my $match;
338	0					0	foreach my $lastunt (@relays) {
339	0					0	local($1,$2);
340	0	0				0	if ($domain =~ m{^ \[ (.*) \] ( / \d{1,3} )? \z}sx) {
341							# matching by IP address
342	0					0	my($wl_ip, $rly_ip) = ($1, $lastunt->{ip});
343	0	0				0	$wl_ip .= $2 if defined $2; # allow prefix len even after bracket
344
345	0	0	0			0	if (!defined $rly_ip \|\| $rly_ip eq '') {
		0
		0
346							# relay's IP address not provided or unparseable
347
348							} elsif ($wl_ip =~ /^\d+\.\d+\.\d+\.\d+\z/s) {
349							# an IPv4 whitelist entry can only be matched by an IPv4 relay
350	0	0				0	if ($wl_ip eq $rly_ip) { $match = 1; last } # exact match
	0					0
	0					0
351
352							} elsif ($wl_ip =~ /^[\d\.]+\z/s) { # an IPv4 classful subnet?
353	0					0	$wl_ip =~ s/\.*\z/./; # enforce trailing dot
354	0	0				0	if ($rly_ip =~ /^\Q$wl_ip\E/) { $match = 1; last } # subnet
	0					0
	0					0
355
356							} else { # either an wl entry is an IPv6 addr, or has a prefix len
357	0					0	my $rly_ip_obj = NetAddr::IP->new($rly_ip); # TCP-info field
358	0	0				0	if (!defined $rly_ip_obj) {
359	0					0	dbg("rules: bad IP address in relay: %s, sender: %s",
360							$rly_ip, $addr);
361							} else {
362	0					0	my $wl_ip_obj = NetAddr::IP->new($wl_ip); # whitelist 2nd param
363	0	0				0	if (!defined $wl_ip_obj) {
		0
364	0					0	info("rules: bad IP address in whitelist: %s", $wl_ip);
365							} elsif ($wl_ip_obj->contains($rly_ip_obj)) {
366							# note: an IPv4-compatible IPv6 address can match an IPv4 addr
367	0					0	dbg("rules: relay addr %s matches whitelist %s, sender: %s",
368							$rly_ip, $wl_ip_obj, $addr);
369	0					0	$match = 1; last;
	0					0
370							} else {
371	0					0	dbg("rules: relay addr %s does not match wl %s, sender %s",
372							$rly_ip, $wl_ip_obj, $addr);
373							}
374							}
375							}
376
377							} else { # match by an rdns name
378	0					0	my $rdns = $lastunt->{lc_rdns};
379	0	0				0	if ($rdns =~ /(?:^\|\.)\Q${domain}\E$/i) { $match=1; last }
	0					0
	0					0
380							}
381							}
382	0	0				0	if ($match) {
383							dbg("rules: address %s matches (def_)whitelist_from_rcvd %s %s",
384	0					0	$addr, $list->{$white_addr}{re}, $domain);
385	0					0	return 1;
386							}
387							# found address match but no relay match. note as possible forgery
388	0					0	$found_forged = -1;
389							}
390							}
391							}
392	2	50				5	if ($found_forged) { # might be forgery. check if in list of exempted
393	0					0	my $wlist = $self->{main}->{conf}->{whitelist_allows_relays};
394	0					0	foreach my $fuzzy_addr (values %{$wlist}) {
	0					0
395	0	0				0	if ($addr =~ /$fuzzy_addr/i) {
396	0					0	$found_forged = 0;
397	0					0	last;
398							}
399							}
400							}
401	2					4	return $found_forged;
402							}
403
404							###########################################################################
405
406							sub _check_whitelist {
407	244			244		642	my ($self, $list, $addr) = @_;
408	244					572	$addr = lc $addr;
409	244	50				721	if (defined ($list->{$addr})) { return 1; }
	0					0
410	244					415	study $addr; # study is a no-op since perl 5.16.0, eliminating related bugs
411	244					330	foreach my $regexp (values %{$list}) {
	244					613
412	0	0				0	if ($addr =~ qr/$regexp/i) {
413	0					0	dbg("rules: address $addr matches whitelist or blacklist regexp: $regexp");
414	0					0	return 1;
415							}
416							}
417
418	244					1971	return 0;
419							}
420
421							###########################################################################
422
423							sub check_uri_host_in_blacklist {
424	0			0	0		my ($self, $pms) = @_;
425	0						$self->check_uri_host_listed($pms, 'BLACK');
426							}
427
428							sub check_uri_host_in_whitelist {
429	0			0	0		my ($self, $pms) = @_;
430	0						$self->check_uri_host_listed($pms, 'WHITE');
431							}
432
433							sub check_uri_host_listed {
434	0			0	0		my ($self, $pms, $subname) = @_;
435	0						my $host_enlisted_ref = $self->_check_uri_host_listed($pms);
436	0	0					if ($host_enlisted_ref) {
437	0						my $matched_host = $host_enlisted_ref->{$subname};
438	0	0					if ($matched_host) {
439	0						dbg("rules: uri host enlisted (%s): %s", $subname, $matched_host);
440	0						$pms->test_log("URI: $matched_host");
441	0						return 1;
442							}
443							}
444	0						return 0;
445							}
446
447							sub _check_uri_host_listed {
448	0			0			my ($self, $pms) = @_;
449
450	0	0					if ($pms->{'uri_host_enlisted'}) {
451	0						return $pms->{'uri_host_enlisted'}; # just provide a cached result
452							}
453
454	0						my $uri_lists_href = $self->{main}{conf}{uri_host_lists};
455	0	0	0				if (!$uri_lists_href \|\| !%$uri_lists_href) {
456	0						$pms->{'uri_host_enlisted'} = {}; # no URI host lists
457	0						return $pms->{'uri_host_enlisted'};
458							}
459
460	0						my %host_enlisted;
461	0						my @uri_listnames = sort keys %$uri_lists_href;
462	0	0					if (would_log("dbg","rules")) {
463	0						foreach my $nm (@uri_listnames) {
464							dbg("rules: check_uri_host_listed: (%s) %s",
465	0	0					$nm, join(', ', map { $uri_lists_href->{$nm}{$_} ? $_ : '!'.$_ }
466	0						sort keys %{$uri_lists_href->{$nm}}));
	0
467							}
468							}
469							# obtain a complete list of html-parsed domains
470	0						my $uris = $pms->get_uri_detail_list();
471	0						my %seen;
472	0						while (my($uri,$info) = each %$uris) {
473	0	0					next if $uri =~ /^mailto:/i; # we may want to skip mailto: uris (?)
474	0						while (my($host,$domain) = each( %{$info->{hosts}} )) { # typically one
	0
475	0	0					next if $seen{$host};
476	0						$seen{$host} = 1;
477	0						local($1,$2);
478	0						my @query_keys;
479	0	0					if ($host =~ /^\[(.*)\]\z/) { # looks like an address literal
		0
		0
480	0						@query_keys = ( $1 );
481							} elsif ($host =~ /^\d+\.\d+\.\d+\.\d+\z/) { # IPv4 address
482	0						@query_keys = ( $host );
483							} elsif ($host ne '') {
484	0						my($h) = $host;
485	0						for (;;) {
486	0	0					shift @query_keys if @query_keys > 10; # sanity limit, keep tail
487	0						push(@query_keys, $h); # sub.example.com, example.com, com
488	0	0					last if $h !~ s{^([^.])\.(.)\z}{$2}s;
489							}
490							}
491	0						foreach my $nm (@uri_listnames) {
492	0						my $match;
493							my $verdict;
494	0						my $hash_nm_ref = $uri_lists_href->{$nm};
495	0						foreach my $q (@query_keys) {
496	0						$verdict = $hash_nm_ref->{$q};
497	0	0					if (defined $verdict) {
498	0	0					$match = $q eq $host ? $host : "$host ($q)";
499	0	0					$match = '!' if !$verdict;
500	0						last;
501							}
502							}
503	0	0					if (defined $verdict) {
504	0	0					$host_enlisted{$nm} = $match if $verdict;
505	0						dbg("rules: check_uri_host_listed %s, (%s): %s, search: %s",
506							$uri, $nm, $match, join(', ',@query_keys));
507							}
508							}
509							}
510							}
511	0						$pms->{'uri_host_enlisted'} = \%host_enlisted;
512	0						return $pms->{'uri_host_enlisted'};
513							}
514
515							1;