From 137b08a00bf67f186f4903d70fd28fff2c5676e9 Mon Sep 17 00:00:00 2001
From: Andrew Lewis <nerf@judo.za.org>
Date: Wed, 9 Nov 2016 15:20:34 +0200
Subject: [PATCH] [Feature] Rule to detect some obvious
 X-PHP-Originating-Script forgeries

---
 rules/regexp/headers.lua | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 6b43c2f05..56f710650 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -790,6 +790,13 @@ reconf['X_PHP_EVAL'] = {
   group = 'header'
 }
 
+reconf['X_PHP_FORGED_0X'] = {
+  re = "X-PHP-Originating-Script=/^0\\d/X",
+  score = 4.0,
+  description = "X-PHP-Originating-Script header appears forged",
+  group = 'header'
+}
+
 reconf['GOOGLE_FORWARDING_MID_MISSING'] = {
   re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X",
   score = 2.5,
-- 
2.39.5