Adjust scores and add new rules

diff --git a/rules/mid.lua b/rules/mid.lua
index 6037ccf1299bfb40d7ec7396c025115f878891cf..08ccaf04abf8815f8bf85012fbfb4974966f7d04 100644 (file)
--- a/rules/mid.lua
+++ b/rules/mid.lua
@@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an
 rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id)
 rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID')
 rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id)
-rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')
\ No newline at end of file
+rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID')

diff --git a/rules/misc.lua b/rules/misc.lua
index f7b63d3c81b400d40d146c376f148bc48426a32d..1b1aee1afd4353b955a376f143e460527377f41c 100644 (file)
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = {
   score = 0.0
 }
 
+-- Requires freemail maps loaded in multimap
+local function freemail_reply_neq_from(task)
+  local frt = task:get_symbol('FREEMAIL_REPLYTO')
+  local ff  = task:get_symbol('FREEMAIL_FROM')
+  if (frt and ff and frt['options'] and ff['options'] and
+      frt['options'][1] ~= ff['options'][1])
+  then
+    return true
+  end
+  return false
+end
+
+local freemail_reply_neq_from_id = rspamd_config:register_symbol({
+  name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM',
+  type = 'callback',
+  callback = freemail_reply_neq_from,
+  description = 'Freemail From and Reply-To, but to different Freemail services',
+  score = 3.0
+})
+rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO')
+rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM')
+

diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index e5e6e6aec52595d003191f572b6fbf7ff46fbcb2..3cf104d23c81aea2ea2ab30be57b0062a99ae387 100644 (file)
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = {
 reconf['PHP_SCRIPT_ROOT'] = {
   re = "X-PHP-Originating-Script=/^0:/Hi",
   description = "PHP Script executed by root UID",
-  score = 2.0,
+  score = 1.0,
   group = "compromised_hosts"
 }
 
@@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = {
 reconf['WP_COMPROMISED'] = {
   re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',
   description = "URL that is pointing to a compromised WordPress installation",
-  score = 5.0,
   group = "compromised_hosts"
 }
 
 reconf['PHP_XPS_PATTERN'] = {
   re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi',
   description = "Message contains X-PHP-Script pattern",
-  score = 5.0,
   group = "compromised_hosts"
 }
 

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 5118a5b9b7a70f98bc8d26bbc1f80f67bef4b7bf..fdc2fb0432b407d667381c6bdfb547065b86e3f3 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -828,7 +828,7 @@ reconf['HAS_INTERSPIRE_SIG'] = {
                      'header_exists(X-Mailer-Sent-By)',
                      'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'),
   description = "Has Interspire fingerprint",
-  score = 3.0,
+  score = 1.0,
   group = 'header'
 }
 
@@ -887,3 +887,11 @@ reconf['HAS_ORG_HEADER'] = {
   score = 0.0,
   group = 'headers'
 }
+
+reconf['X_PHPOS_FAKE'] = {
+  re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi',
+  description = 'Fake X-PHP-Originating-Script header',
+  score = 3.0,
+  group = 'headers'
+}
+