From 7c00342f851748426b799493e9f0f310d7ec2515 Mon Sep 17 00:00:00 2001 From: Anton Yuzhaninov Date: Sat, 22 May 2021 15:13:08 +0100 Subject: [PATCH] [Rules] Extend FORGED_X_MAILER Match in FORGED_X_MAILER fake iPhone Mail header with a random string in place of iOS build number, e. g. iPhone Mail (WKN0M) --- rules/regexp/headers.lua | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index a9ab6c975..26762b06e 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -983,14 +983,21 @@ local bad_x_mailers = { -- Mozilla Thunderbird 1.0.2 (Windows/20050317) -- Thunderbird 2.0.0.23 (X11/20090812) [[(?:Mozilla )?Thunderbird \d]], - -- Was used by Yahoo Groups in 2000s + -- Was used by Yahoo Groups in 2000s, no one expected to use this in 2020s [[eGroups Message Poster]], + -- Regexp for genuene iOS X-Mailer is below, anything which doesn't match it, + -- but starts with 'iPhone Mail' or 'iPad Mail' is likely fake + [[i(?:Phone|Pad) Mail]], } +-- Apple iPhone/iPad Mail X-Mailer contains iOS build number, e. g. 9B206, 16H5, 18G5023c +-- https://en.wikipedia.org/wiki/IOS_version_history +local apple_ios_x_mailer = [[i(?:Phone|Pad) Mail \((?:1[AC]|[34][AB]|5[ABCFGH]|7[A-E]|8[ABCEFGHJKL]|9[AB]|\d{2}[A-Z])\d+[a-z]?\)]] reconf['FORGED_X_MAILER'] = { description = 'Forged X-Mailer header', - re = string.format('X-Mailer=/^(?:%s)/{header}', table.concat(bad_x_mailers, '|')), - score = 4.0, + re = string.format('X-Mailer=/^(?:%s)/{header} && !X-Mailer=/^%s/{header}', + table.concat(bad_x_mailers, '|'), apple_ios_x_mailer), + score = 4.5, group = 'headers', } -- 2.39.5