From e5dc36444ba6559c2efa5a58ab873b5961baf6a4 Mon Sep 17 00:00:00 2001
From: Andrew Lewis <nerf@judo.za.org>
Date: Mon, 3 Oct 2016 12:53:51 +0200
Subject: [PATCH] [Feature] Rule to identify some X-PHP-Script forgeries

---
 rules/misc.lua | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/rules/misc.lua b/rules/misc.lua
index 2a14a1493..fa06e142e 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -397,3 +397,21 @@ rspamd_config.MISSING_FROM = {
     group = 'header',
     description = 'Missing From: header'
 }
+
+rspamd_config.FORGED_X_PHP_SCRIPT1 = {
+  callback = function (task)
+    local hdr = task:get_header('X-PHP-Script', true)
+    if not hdr then return end
+    local re_txt = ' for (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}), (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})'
+    local re = rspamd_regexp.get_cached(re_txt)
+    if not re then
+      re = rspamd_regexp.create_cached(re_txt)
+    end
+    local m = re:search(hdr, true, true)
+    if not m and m[2] and m[3] then return end
+    return m[2] == m[3]
+  end,
+  score = 4.0,
+  description = 'X-PHP-Script header appears forged',
+  group = 'header'
+}
-- 
2.39.5