[Feature] Rule to detect some obvious X-PHP-Originating-Script forgeries

author Andrew Lewis <nerf@judo.za.org>

Wed, 9 Nov 2016 13:20:34 +0000 (15:20 +0200)

committer Andrew Lewis <nerf@judo.za.org>

Wed, 9 Nov 2016 13:29:04 +0000 (15:29 +0200)
author Andrew Lewis <nerf@judo.za.org>
Wed, 9 Nov 2016 13:20:34 +0000 (15:20 +0200)
committer Andrew Lewis <nerf@judo.za.org>
Wed, 9 Nov 2016 13:29:04 +0000 (15:29 +0200)
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua

index 6b43c2f05903ce43cf148e30f36ff00017335346..56f71065003376312e26a3319683d7935b64b9e5 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -790,6 +790,13 @@ reconf['X_PHP_EVAL'] = {
    group = 'header'
  }
  
+reconf['X_PHP_FORGED_0X'] = {
+  re = "X-PHP-Originating-Script=/^0\\d/X",
+  score = 4.0,
+  description = "X-PHP-Originating-Script header appears forged",
+  group = 'header'
+}
+
  reconf['GOOGLE_FORWARDING_MID_MISSING'] = {
    re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X",
    score = 2.5,
author	Andrew Lewis <nerf@judo.za.org>
	Wed, 9 Nov 2016 13:20:34 +0000 (15:20 +0200)
committer	Andrew Lewis <nerf@judo.za.org>
	Wed, 9 Nov 2016 13:29:04 +0000 (15:29 +0200)