From: Andrew Lewis <nerf@judo.za.org>
Date: Fri, 19 Aug 2016 14:57:58 +0000 (+0200)
Subject: [Feature] Add rule for identifying mail sent by eval()'d PHP code
X-Git-Tag: 1.3.4~21^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F864%2Fhead;p=rspamd.git

[Feature] Add rule for identifying mail sent by eval()'d PHP code
---

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index afd0633cd..8f6e47ee9 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -434,3 +434,10 @@ reconf['FORGED_GENERIC_RECEIVED4'] =	'Received=/^\\s*(.+\\n)*from localhost by \
 reconf['FORGED_GENERIC_RECEIVED5'] = 'Received=/\\s*from \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\].*\\n(.+\\n)*\\s*from \\1 by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0$/X'
 
 reconf['INVALID_POSTFIX_RECEIVED'] =	'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X'
+
+reconf['X_PHP_EVAL'] = {
+  re = "X-PHP-Originating-Script=/\\s:\\seval\\(\\)'d code$/X",
+  score = 4.0,
+  description = "Message sent by eval()'d php code",
+  group = 'header'
+}