[Minor] Make HAS_PHPMAILER_SIG regexps more specific

author Anton Yuzhaninov <citrin+git@citrin.ru>

Tue, 27 Apr 2021 15:23:44 +0000 (16:23 +0100)

committer Anton Yuzhaninov <citrin+git@citrin.ru>

Tue, 27 Apr 2021 15:53:22 +0000 (16:53 +0100)
author Anton Yuzhaninov <citrin+git@citrin.ru>
Tue, 27 Apr 2021 15:23:44 +0000 (16:23 +0100)
committer Anton Yuzhaninov <citrin+git@citrin.ru>
Tue, 27 Apr 2021 15:53:22 +0000 (16:53 +0100)
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua

index 6ad2e6b93a7908c4b59179f3f1a18f7d93052ab4..97d80853e5197ab95bbaf57fb3da412abc76eab5 100644 (file)
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -3,7 +3,13 @@ local rspamd_regexp = require 'rspamd_regexp'
  local util = require 'rspamd_util'
  
  reconf['HAS_PHPMAILER_SIG'] = {
-  re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",
+  -- PHPMailer 6.0.0 and older used hex hash in boundary:
+  -- boundary="b1_2a45d5e29f78d3408e318878b049f474"
+  -- Since 6.0.1 it uses base64 (without =+/):
+  -- boundary="b1_uBN0UPD3n6RU04VPxI54tENiDgaCGoh15l9s73oFnlM"
+  -- boundary="b1_Ez5tmpb4bSqknyUZ1B1hIvLAfR1MlspDEKGioCOXc"
+  -- https://github.com/PHPMailer/PHPMailer/blob/v6.4.0/src/PHPMailer.php#L2660
+  re = [[X-Mailer=/^PHPMailer /H || Content-Type=/boundary="b1_[0-9a-zA-Z]+"/H]],
    description = "PHPMailer signature",
    group = "compromised_hosts"
  }
author	Anton Yuzhaninov <citrin+git@citrin.ru>
	Tue, 27 Apr 2021 15:23:44 +0000 (16:23 +0100)
committer	Anton Yuzhaninov <citrin+git@citrin.ru>
	Tue, 27 Apr 2021 15:53:22 +0000 (16:53 +0100)