@@ -63,4 +63,4 @@ rspamd_config:set_metric_symbol('MID_RHS_IP_LITERAL', 0.5, 'Message-ID RHS is an | |||
rspamd_config:register_virtual_symbol('MID_CONTAINS_FROM', 1.0, check_mid_id) | |||
rspamd_config:set_metric_symbol('MID_CONTAINS_FROM', 1.0, 'Message-ID contains From address', 'default', 'Message ID') | |||
rspamd_config:register_virtual_symbol('MID_RHS_MATCH_FROM', 1.0, check_mid_id) | |||
rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 1.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') | |||
rspamd_config:set_metric_symbol('MID_RHS_MATCH_FROM', 0.0, 'Message-ID RHS matches From domain', 'default', 'Message ID') |
@@ -739,3 +739,25 @@ rspamd_config.PREVIOUSLY_DELIVERED = { | |||
score = 0.0 | |||
} | |||
-- Requires freemail maps loaded in multimap | |||
local function freemail_reply_neq_from(task) | |||
local frt = task:get_symbol('FREEMAIL_REPLYTO') | |||
local ff = task:get_symbol('FREEMAIL_FROM') | |||
if (frt and ff and frt['options'] and ff['options'] and | |||
frt['options'][1] ~= ff['options'][1]) | |||
then | |||
return true | |||
end | |||
return false | |||
end | |||
local freemail_reply_neq_from_id = rspamd_config:register_symbol({ | |||
name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM', | |||
type = 'callback', | |||
callback = freemail_reply_neq_from, | |||
description = 'Freemail From and Reply-To, but to different Freemail services', | |||
score = 3.0 | |||
}) | |||
rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO') | |||
rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM') | |||
@@ -11,7 +11,7 @@ reconf['HAS_PHPMAILER_SIG'] = { | |||
reconf['PHP_SCRIPT_ROOT'] = { | |||
re = "X-PHP-Originating-Script=/^0:/Hi", | |||
description = "PHP Script executed by root UID", | |||
score = 2.0, | |||
score = 1.0, | |||
group = "compromised_hosts" | |||
} | |||
@@ -99,14 +99,12 @@ reconf['HAS_WP_URI'] = { | |||
reconf['WP_COMPROMISED'] = { | |||
re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui', | |||
description = "URL that is pointing to a compromised WordPress installation", | |||
score = 5.0, | |||
group = "compromised_hosts" | |||
} | |||
reconf['PHP_XPS_PATTERN'] = { | |||
re = 'X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi', | |||
description = "Message contains X-PHP-Script pattern", | |||
score = 5.0, | |||
group = "compromised_hosts" | |||
} | |||
@@ -828,7 +828,7 @@ reconf['HAS_INTERSPIRE_SIG'] = { | |||
'header_exists(X-Mailer-Sent-By)', | |||
'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'), | |||
description = "Has Interspire fingerprint", | |||
score = 3.0, | |||
score = 1.0, | |||
group = 'header' | |||
} | |||
@@ -887,3 +887,11 @@ reconf['HAS_ORG_HEADER'] = { | |||
score = 0.0, | |||
group = 'headers' | |||
} | |||
reconf['X_PHPOS_FAKE'] = { | |||
re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi', | |||
description = 'Fake X-PHP-Originating-Script header', | |||
score = 3.0, | |||
group = 'headers' | |||
} | |||