[Feature] Add rule for identifying mail sent by eval()'d PHP code

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index afd0633cd90a8e078fce3f1cfd80aa7bb80a5b6c..8f6e47ee9ba1d28df9adf8e37c7fd318a349d99a 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -434,3 +434,10 @@ reconf['FORGED_GENERIC_RECEIVED4'] =       'Received=/^\\s*(.+\\n)*from localhost by \
 reconf['FORGED_GENERIC_RECEIVED5'] = 'Received=/\\s*from \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\].*\\n(.+\\n)*\\s*from \\1 by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0$/X'
 
 reconf['INVALID_POSTFIX_RECEIVED'] =   'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X'
+
+reconf['X_PHP_EVAL'] = {
+  re = "X-PHP-Originating-Script=/\\s:\\seval\\(\\)'d code$/X",
+  score = 4.0,
+  description = "Message sent by eval()'d php code",
+  group = 'header'
+}