[Minor] Add rule for forged X-Mailer: Internet Mail Service

author Anton Yuzhaninov <citrin+git@citrin.ru>

Tue, 22 Dec 2020 13:40:40 +0000 (13:40 +0000)

committer Anton Yuzhaninov <citrin+git@citrin.ru>

Tue, 22 Dec 2020 14:16:12 +0000 (14:16 +0000)
author Anton Yuzhaninov <citrin+git@citrin.ru>
Tue, 22 Dec 2020 13:40:40 +0000 (13:40 +0000)
committer Anton Yuzhaninov <citrin+git@citrin.ru>
Tue, 22 Dec 2020 14:16:12 +0000 (14:16 +0000)
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua

index ff16fd886abb682dd95cb14e3d027e95194bc80a..f9d613a14e48f7102564ad02500ffe7ff940800a 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -993,3 +993,18 @@ reconf['FORGED_X_MAILER'] = {
    score = 4.0,
    group = 'headers',
  }
+
+-- X-Mailer headers like: 'Internet Mail Service (5.5.2650.21)' are being
+-- forged by spammers, but MS Exachange 5.5 is still being used (in 2020) on
+-- some mail servers.  Example of genuene headers (DC-EXMPL is a hostname which
+-- can be a FQDN):
+-- Received: by DC-EXMPL with Internet Mail Service (5.5.2656.59)
+--     id <HKH4BJQX>; Tue, 8 Dec 2020 07:10:54 -0600
+-- Message-ID: <E7209F9DB64FCC4BB1051420F0E955DD05C9D59F@DC-EXMPL>
+-- X-Mailer: Internet Mail Service (5.5.2656.59)
+reconf['FORGED_IMS'] = {
+  description = 'Forged X-Mailer: Internet Mail Service',
+  re = [[X-Mailer=/^Internet Mail Service \(5\./{header} & !Received=/^by \S+ with Internet Mail Service \(5\./{header}]]
+  score = 3.0,
+  group = 'headers',
+}
author	Anton Yuzhaninov <citrin+git@citrin.ru>
	Tue, 22 Dec 2020 13:40:40 +0000 (13:40 +0000)
committer	Anton Yuzhaninov <citrin+git@citrin.ru>
	Tue, 22 Dec 2020 14:16:12 +0000 (14:16 +0000)