# # SpamAssassin SNF4SA Plugin for SNFServer. # # This plugin implements a SpamAssassin rule to use SNFServer to test # whether an email is spam. # # Copyright (C) 2009 ARM Research Labs, LLC. # # snf4sa.pm # # The plugin implements a single evaluation rule, which passes the # email message through SNFServer. The communication with SNFServer # is through XCI and a temporary file on disk which contains the email # message truncated to the frist 64K bytes. # package Snf4sa; use strict; use Mail::SpamAssassin; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::PerMsgStatus; use Mail::SpamAssassin::Logger; use IO::Socket; use IO::File; use File::Temp qw/ tempfile tempdir /; our @ISA = qw(Mail::SpamAssassin::Plugin); # Convenience variables and pseudo-constants my $CRLF = "\x0d\x0a"; # translation table for SNF rule codes my $rule_code_xlat = { 0 => 'Standard White Rules', 20 => 'GBUdb Truncate (superblack)', 40 => 'GBUdb Caution (suspicious)', 47 => 'Travel', 48 => 'Insurance', 49 => 'Antivirus Push', 50 => 'Media Theft', 51 => 'Spamware', 52 => 'Snake Oil', 53 => 'Scam Patterns', 54 => 'Porn/Adult', 55 => 'Malware & Scumware Greetings', 56 => 'Ink & Toner', 57 => 'Get Rich', 58 => 'Debt & Credit', 59 => 'Casinos & Gambling', 60 => 'Ungrouped Black Rules', 61 => 'Experimental Abstract', 62 => 'Obfuscation Techniques', 63 => 'Experimental Received [ip]', }; sub new { my ($class, $mailsa) = @_; $class = ref($class) || $class; my $self = $class->SUPER::new($mailsa); bless ($self, $class); # Name of evaluation rule. $self->register_eval_rule ("snf4sa_sacheck"); # Use localhost. $self->{SNF_Host} = "localhost"; # Use default port. $self->{SNF_Port} = 9001; # Timeout. $self->{SNF_Timeout} = 1; # Directory for files containing emails read by SNFServer. $self->{Temp_Dir} = 'C:\\TEMP\\SNF4SA'; # Maximum email message size (including headers). $self->{SNF_MaxTempFileSize} = 64 * 1024; # Key for confidence in mail header inserted by SNFServer. $self->{GBUdb_ConfidenceKey} = "c="; # Key for probability in mail header inserted by SNFServer. $self->{GBUdb_ProbabilityKey} = "p="; # Key for GBUdb maximum weight in the configuration file. $self->{GBUdb_MaxWeightKey} = "gbudb_max_weight"; # Key for SNFServer code in configuration file. $self->{SNF_CodeKey} = "snf_result"; # Key for SA score increment in configuration file. $self->{SA_DeltaScoreKey} = "sa_score"; # Key for short circuit in configuration file. $self->{SA_ShortCircuitYesKey} = "short_circuit_yes"; # Key for no short circuit in configuration file. $self->{SA_ShortCircuitNoKey} = "short_circuit_no"; # Key for plugin score threshold in the configuration file. $self->{Plugin_score_thresholdKey} = "pre_3.2_plugin_score_threshold"; return $self; } # DEBUG/TEST. #sub extract_metadata { # # my ($self, $opts) = @_; # # print "***********************\n"; # print "extract_metadata called\n"; # print "***********************\n"; # # $opts->{msg}->put_metadata("X-Extract-Metadata:", "Test header"); # #} # END OF DEBUG/TEST. sub have_shortcircuited { my ($self, $options) = @_; if (defined($options->{permsgstatus}->{shortCircuit})) { return $options->{permsgstatus}->{shortCircuit}; } return 0; } sub parse_config { my ($self, $options) = @_; # DEBUG. #print "parse_confg. key: $options->{key}\n"; #print "parse_config. line: $options->{line}\n"; #print "parse_config. value: $options->{value}\n"; #END OF DEBUG. # Process GBUdb_max_weight. if (lc($options->{key}) eq $self->{GBUdb_MaxWeightKey}) { # GBUdb maximum weight. my $tempValue = $options->{value}; # Test that the value was a number. #$self->log_debug("Found $self->{GBUdb_MaxWeightKey} . " value: $options->{value}, tempValue: $tempValue\n"; # DEBUG. if ($tempValue =~ /^([+-]?)(?=\d|\.\d)\d*(\.\d*)?([Ee]([+-]?\d+))?$/) { # Value was a number. Load and return success. $options->{conf}->{gbuDbMaxWeight} = $tempValue; $self->inhibit_further_callbacks(); return 1; } else { $self->log_debug("Invalid value for $self->{GBUdb_MaxWeightKey} " . $tempValue); } } elsif (lc($options->{key}) eq $self->{Plugin_score_thresholdKey}) { # Plugin score threshold. my $tempValue = $options->{value}; # Test that the value was a number. #print "Found $self->{Plugin_score_thresholdKey} value: $options->{value}\n"; # DEBUG. if ($tempValue =~ /^([+-]?)(?=\d|\.\d)\d*(\.\d*)?([Ee]([+-]?\d+))?$/) { # Value was a number. Load and return success. $options->{conf}->{pluginScoreThreshold} = $tempValue; $self->inhibit_further_callbacks(); return 1; } else { $self->log_debug("Invalid value for $self->{Plugin_score_thresholdKey} " . $tempValue); } } elsif (lc($options->{key}) eq $self->{SNF_CodeKey}) { # Relationship between SNFServer code and SA score delta. my $snf = $self->parse_snf_sa_mapping($options); if (defined($snf)) { my @snfCode = @{$snf->{snfCode}}; #print "snf->{snfCode}: @snfCode\n"; # DEBUG. #print "snf->{deltaScore}: $snf->{deltaScore}\n"; # DEBUG. #print "snf->{shortCircuit}: $snf->{shortCircuit}\n"; # DEBUG. # Save configuration. foreach my $i (@{$snf->{snfCode}}) { # Create (or update) an element in the mapping array # that snfSaMapping is a reference to. $options->{conf}->{snfSaMapping}->[$i] = { deltaScore => $snf->{deltaScore}, shortCircuit => $snf->{shortCircuit} }; } # DEBUG. #for (my $i = 0; $i < @{$options->{conf}->{snfSaMapping}}; $i++) { # if (! defined($options->{conf}->{snfSaMapping}->[$i])) { # print "No configuration for SNFServer code $i\n"; # next; # } # print "SNFServer code: $i, " . # "deltaScore: " . # "$options->{conf}->{snfSaMapping}->[$i]->{deltaScore}, " . # "shortCircuit: " . # "$options->{conf}->{snfSaMapping}->[$i]->{shortCircuit}\n"; #} # END OF DEBUG. # Successfully parsed. $self->inhibit_further_callbacks(); return 1; } } # Wasn't handled. return 0; } # Parse a snf_result configuration line. # # Input-- # # $line--String containing the snf_result line without the first word. # # Returns a reference with the following fields (if no error)-- # # snfCode--Array of SNFServer result codes that this configuration # line specifies. # # deltaScore--SA score increment for the codes in @snfCode. # # shortCircuit--True if a SNFServer code in @snfCode is to # short-circuit the message scan, false otherwise. # # If the line cannot be parsed, the return value is undef. # sub parse_snf_sa_mapping { my ($self, $options) = @_; my $value = $options->{value}; my $ret_hash = { snfCode => undef, deltaScore => undef, shortCircuit => undef }; # SNFServer codes found. my @snfCode = (); # Remove leading and trailing whitespace. $value =~ s/^\s+//; $value =~ s/\s+$//; # Convert to lower case. $value = lc($value); # Split up by white space. my @specVal = split(/\s+/, $value); if (0 == @specVal) { # No separate words. $self->log_debug("No separate words found in configuration line '" . $options->{line} . "'"); return undef; } # Convert each SNFServer result specification into an integer. my $lastSpec; for ($lastSpec = 0; $lastSpec < @specVal; $lastSpec++) { # Check for next keyword. if ($specVal[$lastSpec] eq $self->{SA_DeltaScoreKey}) { # We've completed the processing of the SNFServer result # codes. last; } # Get the code values. my @codeVal = $self->get_code_values($specVal[$lastSpec]); if (0 == @codeVal) { # No code values were obtained. $self->log_debug("Couldn't parse all the SNFServer code values " . "in configuration line '" . $options->{line} . "'"); return undef; } # Add to the list of codes. @snfCode = (@snfCode, @codeVal); } # Sort the SNFServer result codes and remove duplicates. @snfCode = sort { $a <=> $b } @snfCode; my $prev = -1; my @temp = grep($_ != $prev && (($prev) = $_), @snfCode); $ret_hash->{snfCode} = \@temp; # The $specVal[$lastSpec] is $self->{SA_DeltaScoreKey}. Return if # there aren't enough parameters. $lastSpec++; if ($lastSpec >= @specVal) { # Not enough parameters. $self->log_debug("Not enough parameters in configuration line '" . $options->{line} . "'"); return undef; } # Extract the SA delta score. $ret_hash->{deltaScore} = $specVal[$lastSpec]; if (!($ret_hash->{deltaScore} =~ /^([+-]?)(?=\d|\.\d)\d*(\.\d*)?([Ee]([+-]?\d+))?$/)) { # SA delta score isn't a number. $self->log_debug("Value after '" . $self->{SA_DeltaScoreKey} . "' ($specVal[$lastSpec]) must be a number " . "in configuration line '" . $options->{line} . "'"); return undef; } # Get short circuit spec. $lastSpec++; $ret_hash->{shortCircuit} = 0; if ( ($lastSpec + 1) == @specVal) { # A parameter was specified. my $shortCircuitSpec = $specVal[$lastSpec]; if ($self->{SA_ShortCircuitYesKey} eq $shortCircuitSpec) { # Specified short-circuit evaluation. $ret_hash->{shortCircuit} = 1; } elsif ($self->{SA_ShortCircuitNoKey} ne $shortCircuitSpec) { # Invalid short-circuit specification. $self->log_debug("Invalid short-circuit specification: '" . $specVal[$lastSpec] . "' in configuration line '" . $options->{line} . "'. Must be '$self->{SA_ShortCircuitYesKey}' " . " or '$self->{SA_ShortCircuitNoKey}'."); return undef; } } elsif ($lastSpec != @specVal) { # Too many parameters were specified. $self->log_debug("Too many parameters were specified in " . "configuration line '" . $options->{line} . "'"); return undef; } return $ret_hash; } sub get_code_values { my ($self, $specElement) = @_; my @snfCode = (); # Split the specification. my @codeVal = split(/-/, $specElement); if (1 == @codeVal) { if ($specElement =~ /^\d+$/) { # Found a single code. $snfCode[0] = 1 * $specElement; } } elsif (2 == @codeVal) { # Check range. if ( ($codeVal[0] =~ /^\d+$/) && ($codeVal[1] =~ /^\d+$/) ) { # Found a range of codes. $codeVal[0] = 1 * $codeVal[0]; $codeVal[1] = 1 * $codeVal[1]; if ($codeVal[0] <= $codeVal[1]) { # Add these SNF codes. for (my $i = $codeVal[0]; $i <= $codeVal[1]; $i++) { push(@snfCode, $i); } } } } return @snfCode; } # Output a debug message. # # Input-- # # $message--String containing the message to output. # sub log_debug { my ($self, $message) = @_; dbg("snf4sa: $message"); } # Check the message with SNFServer. sub snf4sa_sacheck { my ($self, $permsgstatus, $fulltext) = @_; my $response =''; my $exitvalue; # Make sure we have a temp dir unless(-d $self->{Temp_Dir}) { mkdir($self->{Temp_Dir}); chmod(0777, $self->{Temp_Dir}); }; # Truncate the message. my $mailtext = substr( ${$fulltext}, 0, $self->{SNF_MaxTempFileSize}); # create our temp file, $filename will contain the full path my ($fh, $filename) = tempfile( DIR => $self->{Temp_Dir} ); # spew our mail into the temp file my $SNF_fh = IO::File->new( $filename, "w" ) || die(__PACKAGE__ . ": Unable to create temporary file '" . $filename . "'"); $SNF_fh->print($mailtext) || $self->cleanup_die($filename, __PACKAGE__ . ": Unable to write to temporary file '" . $filename . "'"); $SNF_fh->close || $self->cleanup_die($filename, __PACKAGE__ . ": Unable to close temporary file '" . $filename . "'"); # Change permissions. my $cnt = chmod(0666, $filename) || $self->cleanup_die($filename, __PACKAGE__ . ": Unable to change permissions of temporary file '" . $filename . "'"); # xci_scan connects to SNFServer with XCI to scan the message my $SNF_XCI_Return = $self->xci_scan( $filename ); #print "header:\n\n$SNF_XCI_Return->{header}\n\n"; # DEBUG # Remove the temp file, we are done with it. unlink($filename); # Check response from SNFServer. if (! $SNF_XCI_Return ) { die(__PACKAGE__ . ": Internal error"); } # Check for success. if (! $SNF_XCI_Return->{"success"}) { die(__PACKAGE__ . ": Error from SNFServer: " . $SNF_XCI_Return->{"message"}); } # get the return code and translation my ( $rc, $rcx ) = ( $SNF_XCI_Return->{"code"}, $rule_code_xlat->{ $SNF_XCI_Return->{"code"} } ); $rc = -1 unless defined $rc; # default values $rcx = 'Unknown' unless $rcx; my $rch = $SNF_XCI_Return->{"header"}; # the SNF header(s) # DEBUG. # for (my $i = 0; $i < @{$permsgstatus->{main}->{conf}->{snfSaMapping}}; $i++) { # if (! defined($permsgstatus->{main}->{conf}->{snfSaMapping}->[$i])) { # print "No configuration for SNFServer code $i\n"; # next; # } # print "SNFServer code: $i, " . # "deltaScore: " . # "$permsgstatus->{main}->{conf}->{snfSaMapping}->[$i]->{deltaScore}, " . # "shortCircuit: " . # "$permsgstatus->{main}->{conf}->{snfSaMapping}->[$i]->{shortCircuit}\n"; # } # END OF DEBUG. # Initialize the change in the SA score. my $deltaScore = 0.0; # Add the score from the SNFServer return. if (defined($permsgstatus->{main}->{conf}->{snfSaMapping}->[$rc])) { $deltaScore += $permsgstatus->{main}->{conf}->{snfSaMapping}->[$rc]->{deltaScore}; $permsgstatus->{shortCircuit} = $permsgstatus->{main}->{conf}->{snfSaMapping}->[$rc]->{shortCircuit}; } # Perform GBUdb processing. if (defined($permsgstatus->{main}->{conf}->{gbuDbMaxWeight})) { #print "gbudbMaxWeight: $permsgstatus->{main}->{conf}->{gbuDbMaxWeight}\n\n"; # DEBUG. # Calculate the contribution to the scrore from the GBUdb results. $deltaScore += $self->calc_GBUdb($SNF_XCI_Return->{header}, $permsgstatus->{main}->{conf}->{gbuDbMaxWeight}); } # Add the headers. $permsgstatus->set_tag("SNFRESULTTAG", "$rc ($rcx)"); $permsgstatus->set_tag("SNFMESSAGESNIFFERSCANRESULT", $self->extract_header_body($SNF_XCI_Return->{header}, "X-MessageSniffer-Scan-Result")); $permsgstatus->set_tag("SNFMESSAGESNIFFERRULES", $self->extract_header_body($SNF_XCI_Return->{header}, "X-MessageSniffer-Rules")); $permsgstatus->set_tag("SNFGBUDBANALYSIS", $self->extract_header_body($SNF_XCI_Return->{header}, "X-GBUdb-Analysis")); # If dynamic scoring isn't supported, this rule fires if the score is # above the threshold. if (Mail::SpamAssassin::Version() le "3.2.0") { my $pluginScoreThreshold = 2.5; # Default value. if (defined($permsgstatus->{main}->{conf}->{pluginScoreThreshold})) { $pluginScoreThreshold = $permsgstatus->{main}->{conf}->{pluginScoreThreshold}; } #print "Before comparison. pluginScoreThreshold: $pluginScoreThreshold deltaScore: $deltaScore\n"; # DEBUG if ($deltaScore < $pluginScoreThreshold) { $deltaScore = 0.0; } } # print "After comparison. deltaScore: $deltaScore\n"; # DEBUG # Submit the score. if ($deltaScore) { $permsgstatus->got_hit("SNF4SA", "", score => $deltaScore); for my $set (0..3) { $permsgstatus->{conf}->{scoreset}->[$set]->{"SNF4SA"} = sprintf("%0.3f", $deltaScore); } } # Always return zero, since the score was submitted via got_hit() # above. return 0; } # Calculate the contribution of the GBUdb scan to the SA score. # # Input-- # # $headers--String containing the headers. # # $weight--Weight used to calculate the contribution. # # Returns the contribution to the SA score (float). # sub calc_GBUdb { my ( $self, $headers, $weight ) = @_; # Split the header into lines. my @headerLine = split(/\n/, $headers); # Find the line containing the GBUdb results. my $line; foreach $line (@headerLine) { # Search for the tag. if ($line =~ /^X-GBUdb-Analysis:/) { # GBUdb analysis was done. Extract the values. my $ind0 = index($line, $self->{GBUdb_ConfidenceKey}); my $ind1 = index($line, " ", $ind0 + 2); if (-1 == $ind0) { return 0.0; } my $c = 1.0 * substr($line, $ind0 + 2, $ind1 - $ind0 - 2); #print "calc_GBUdb. line: $line\n"; # DEBUG #print "calc_GBUdb. c: $c, ind0: $ind0, ind1: $ind1\n"; # DEBUG $ind0 = index($line, $self->{GBUdb_ProbabilityKey}); $ind1 = index($line, " ", $ind0 + 2); if (-1 == $ind0) { return 0.0; } my $p = 1.0 * substr($line, $ind0 + 2, $ind1 - $ind0 - 2); #print "calc_GBUdb. p: $p, ind0: $ind0, ind1: $ind1\n"; # DEBUG # Calculate and return the score. my $score = abs($p * $c) ** 0.5; $score *= $weight; if ($p < 0.0) { $score *= -1.0; } # DEBUG. #print "calc_GBUdb. p: $p, c: $c, weight: $weight\n"; #print "calc_GBUdb. score: $score\n"; # END OF DEBUG. return $score; } } } # Extract the specified header body from a string containing all the # headers. # # Input-- # # $headers--String containing the headers. # # $head--String containing the head of the header to extract. # # Returns the body of the header. # sub extract_header_body { my ( $self, $headers, $head ) = @_; my $body = ""; if ($headers =~ /$head:(.*)/s) { my $temp = $1; $temp =~ /(.*)\nX-(.*)/s; $body = $1; } return $body; } # xci_scan( $file ) # returns hashref: # success : true/false # code : response code from SNF # message : scalar message (if any) sub xci_scan { my ( $self, $file ) = @_; return undef unless $self and $file; my $ret_hash = { success => undef, code => undef, message => undef, header => undef, xml => undef }; my $xci = $self->connect_socket( $self->{SNF_Host}, $self->{SNF_Port} ) or return $self->err_hash("cannot connect to socket ($!)"); $xci->print("\n"); my $rc = $ret_hash->{xml} = $self->socket_response($xci, $file); $xci->close; if ( $rc =~ /^/ ) { $ret_hash->{success} = 1; $ret_hash->{code} = $1; $rc =~ /(.*)<\/xhdr>/s and $ret_hash->{header} = $1; } elsif ( $rc =~ /^{message} = $1; } else { $ret_hash->{message} = "unknown XCI response: $rc"; } return $ret_hash; } # connect_socket( $host, $port ) # returns IO::Socket handle sub connect_socket { my ( $self, $host, $port ) = @_; return undef unless $self and $host and $port; my $protoname = 'tcp'; # Proto should default to tcp but it's not expensive to specify $self->{XCI_Socket} = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => $protoname, Timeout => $self->{SNF_Timeout} ) or return undef; $self->{XCI_Socket}->autoflush(1); # make sure autoflush is on -- legacy return $self->{XCI_Socket}; # return the socket handle } # socket_response( $socket_handle ) # returns scalar string sub socket_response { my ( $self, $rs, $file ) = @_; my $buf = ''; # buffer for response # blocking timeout for servers who accept but don't answer eval { local $SIG{ALRM} = sub { die "timeout\n" }; # set up the interrupt alarm $self->{SNF_Timeout}; # set up the alarm while (<$rs>) { # read the socket $buf .= $_; } alarm 0; # reset the alarm }; # report a blocking timeout if ( $@ eq "timeout\n" ) { $self->cleanup_die($file, __PACKAGE__ . ": Timeout waiting for response from SNFServer"); } elsif ( $@ =~ /alarm.*unimplemented/ ) { # no signals on Win32 while (<$rs>) { # get whatever's left # in the socket. $buf .= $_; } } return $buf; } # return an error message for xci_scan sub err_hash { my ( $self, $message ) = @_; return { success => undef, code => undef, message => $message }; } sub cleanup_die { my ( $self, $file, $message ) = @_; unlink($file); die($message); } 1;