From: Anton Yuzhaninov Date: Tue, 22 Dec 2020 13:40:40 +0000 (+0000) Subject: [Minor] Add rule for forged X-Mailer: Internet Mail Service X-Git-Tag: 2.7~47^2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=38d347e23eee471bf19e78804fb0b15382c5a776;p=rspamd.git [Minor] Add rule for forged X-Mailer: Internet Mail Service --- diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index ff16fd886..f9d613a14 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -993,3 +993,18 @@ reconf['FORGED_X_MAILER'] = { score = 4.0, group = 'headers', } + +-- X-Mailer headers like: 'Internet Mail Service (5.5.2650.21)' are being +-- forged by spammers, but MS Exachange 5.5 is still being used (in 2020) on +-- some mail servers. Example of genuene headers (DC-EXMPL is a hostname which +-- can be a FQDN): +-- Received: by DC-EXMPL with Internet Mail Service (5.5.2656.59) +-- id ; Tue, 8 Dec 2020 07:10:54 -0600 +-- Message-ID: +-- X-Mailer: Internet Mail Service (5.5.2656.59) +reconf['FORGED_IMS'] = { + description = 'Forged X-Mailer: Internet Mail Service', + re = [[X-Mailer=/^Internet Mail Service \(5\./{header} & !Received=/^by \S+ with Internet Mail Service \(5\./{header}]] + score = 3.0, + group = 'headers', +}