[Rules] Added rules for detecting likely malware

[fatalbanana]

trafficstars

• Punish exe-laden archives in general
• Harsh punishment for exe-laden archives with suspicious filenames or subjects
• Harsh punishment for fantastically well compressed UDF images
• Punish misidentified RARs & misidentified RARs bearing executables

[vstakhov]

@moisseev @dragoangel I would appreciate if you take a quick look on this.

[moisseev]

I wouldn't punish *.exe files in archives as they are supposed to be there unless they (or the email containing them) have suspicious signs.

[dragoangel]

Hi @vstakhov @fatalbanana , my view on this:

1. Join @moisseev that we should not punish .exe and other thing, as of: I assume such files most administrators already ban via mime_types.lua or multimaps with prefilter. Maybe this module will be okay for people who want accepting exes or img, but I not sure if naming is enough to ban exe, this too much dynamic thing. Compressed img - same, not better just block it and that's all? Usually "valid" img files takes more then 100mb, which is not valid file to be transferred over email, correct me if I'm wrong? Malware can skip compressing img at all, but greatly obfuscate and compress malware itself. Plus there more extensions that used for same thing: dmg & iso at minimum. Saw them in spam campaigns and blocked at mime_types.lua.
2. About misidentified RARs - nice thing, but if we can detect in Rspamd mime_types.lua extensions inside of such archives - I think better to still punish exec (or other extensions listed in mime_types.lua) by creating composite based on symbols from this module & mime_types.lua one. Maybe I missed something and this not possible, but it looks more optimal.