mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
Browse Source

Merge pull request #4538 from dragoangel/patch-2 

[Feature] Detect Apple Mail and remove scores for their known common behavior
tags/3.6
Vsevolod Stakhov 10 months ago
parent
1cc0095310 7ff31bdb95
commit
14d450b192
No account linked to committer's email address
2 changed files with 28 additions and 1 deletions
Split View Show Diff Stats
  1. 8
    0
      conf/composites.conf
  2. 20
    1
      rules/regexp/headers.lua

+ 8
- 0
conf/composites.conf View File

@@ -65,6 +65,14 @@ composites {
expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
policy = "remove_weight";
}
APPLE_MAILER_COMMON {
description = "Message was sent by 'Apple Mail' and has common symbols in place";
expression = "APPLE_MAILER & MV_CASE";
}
APPLE_IOS_MAILER_COMMON {
description = "Message was sent by 'Apple iOS Mail' and has common symbols in place";
expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)";
}
HACKED_WP_PHISHING {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
description = "Phish message sent by hacked Wordpress instance";

+ 20
- 1
rules/regexp/headers.lua View File

@@ -963,6 +963,26 @@ reconf['OLD_X_MAILER'] = {
group = 'headers',
}

-- Detect Apple Mail
local apple_x_mailer = [[Apple Mail \(((Version )?[1-9]\.[0-9]*|[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*)\)]]
reconf['APPLE_MAILER'] = {
description = 'Sent with Apple Mail',
re = string.format('X-Mailer=/^%s/{header}', apple_x_mailer),
score = 0.0,
group = 'headers',
}

-- Detect Apple iPhone/iPad Mail
-- Apple iPhone/iPad Mail X-Mailer contains iOS build number, e. g. 9B206, 16H5, 18G5023c
-- https://en.wikipedia.org/wiki/IOS_version_history
local apple_ios_x_mailer = [[i(?:Phone|Pad) Mail \(\d{1,2}[A-Z]\d{1,4}[a-z]?\)]]
reconf['APPLE_IOS_MAILER'] = {
description = 'Sent with Apple iPhone/iPad Mail',
re = string.format('X-Mailer=/^%s/{header}', apple_ios_x_mailer),
score = 0.0,
group = 'headers',
}

-- X-Mailer header values which should not occur (in the modern mail) at all
local bad_x_mailers = {
-- header name repeated in the header value
@@ -978,9 +998,6 @@ local bad_x_mailers = {
-- but starts with 'iPhone Mail' or 'iPad Mail' is likely fake
[[i(?:Phone|Pad) Mail]],
}
local apple_ios_x_mailer = [[i(?:Phone|Pad) Mail \((?:1[AC]|[34][AB]|5[ABCFGH]|7[A-E]|8[ABCEFGHJKL]|9[AB]|\d{2}[A-Z])\d+[a-z]?\)]]

reconf['FORGED_X_MAILER'] = {
description = 'Forged X-Mailer header',

Write Preview
Loading…
Cancel
Save