diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2018-09-29 14:51:29 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2018-09-29 14:51:29 +0100 |
| commit | d31f486d55ea8827c5e540ce74dba7fdd68e8c1a (patch) | |
| tree | 74ea08a7ce0fc941c921ee4a94273ce5dea19a5a | |
| parent | d2811768ed72130425eac4d42bb30f8e8cde4d6e (diff) | |
| download | rspamd-d31f486d55ea8827c5e540ce74dba7fdd68e8c1a.tar.gz rspamd-d31f486d55ea8827c5e540ce74dba7fdd68e8c1a.zip | |
[Fix] Fix groups mess
| -rw-r--r-- | rules/headers_checks.lua | 47 | ||||
| -rw-r--r-- | rules/html.lua | 1 | ||||
| -rw-r--r-- | rules/mid.lua | 9 | ||||
| -rw-r--r-- | rules/misc.lua | 2 | ||||
| -rw-r--r-- | rules/regexp/compromised_hosts.lua | 6 | ||||
| -rw-r--r-- | rules/regexp/headers.lua | 112 |
6 files changed, 103 insertions, 74 deletions
diff --git a/rules/headers_checks.lua b/rules/headers_checks.lua index d1f972a46..5dc78063a 100644 --- a/rules/headers_checks.lua +++ b/rules/headers_checks.lua @@ -26,6 +26,8 @@ local E = {} local rcvd_cb_id = rspamd_config:register_symbol{ name = 'CHECK_RECEIVED', type = 'callback', + score = 0.0, + group = 'headers', callback = function(task) local cnts = { [1] = 'ONE', @@ -113,6 +115,8 @@ rspamd_config:register_symbol{ local prio_cb_id = rspamd_config:register_symbol { name = 'HAS_X_PRIO', type = 'callback', + score = 0.0, + group = 'headers', callback = function (task) local cnts = { [1] = 'ONE', @@ -180,10 +184,16 @@ local function get_raw_header(task, name) return ((task:get_header_full(name) or {})[1] or {})['value'] end -local check_replyto_id = rspamd_config:register_callback_symbol('CHECK_REPLYTO', 1.0, - function (task) +local check_replyto_id = rspamd_config:register_symbol({ + type = 'callback', + name = 'CHECK_REPLYTO', + score = 0.0, + group = 'headers', + callback = function(task) local replyto = get_raw_header(task, 'Reply-To') - if not replyto then return false end + if not replyto then + return false + end local rt = util.parse_mail_address(replyto, task:get_mempool()) if not (rt and rt[1] and (string.len(rt[1].addr) > 0)) then task:insert_result('REPLYTO_UNPARSEABLE', 1.0) @@ -205,7 +215,9 @@ local check_replyto_id = rspamd_config:register_callback_symbol('CHECK_REPLYTO', -- See if Reply-To matches From in some way local from = task:get_from(2) local from_h = get_raw_header(task, 'From') - if not (from and from[1]) then return false end + if not (from and from[1]) then + return false + end if (from_h and from_h == replyto) then -- From and Reply-To are identical task:insert_result('REPLYTO_EQ_FROM', 1.0) @@ -221,17 +233,17 @@ local check_replyto_id = rspamd_config:register_callback_symbol('CHECK_REPLYTO', -- See if Reply-To matches the To address local to = task:get_recipients(2) if (to and to[1] and to[1].addr:lower() == rt[1].addr:lower()) then - -- Ignore this for mailing-lists and automatic submissions - if (not (task:get_header('List-Unsubscribe') or - task:get_header('X-To-Get-Off-This-List') or - task:get_header('X-List') or - task:get_header('Auto-Submitted'))) - then - task:insert_result('REPLYTO_EQ_TO_ADDR', 1.0) - end + -- Ignore this for mailing-lists and automatic submissions + if (not (task:get_header('List-Unsubscribe') or + task:get_header('X-To-Get-Off-This-List') or + task:get_header('X-List') or + task:get_header('Auto-Submitted'))) + then + task:insert_result('REPLYTO_EQ_TO_ADDR', 1.0) + end else task:insert_result('REPLYTO_DOM_NEQ_FROM_DOM', 1.0) - end + end end end -- See if the Display Names match @@ -242,7 +254,7 @@ local check_replyto_id = rspamd_config:register_callback_symbol('CHECK_REPLYTO', end end end -) +}) rspamd_config:register_symbol{ name = 'REPLYTO_UNPARSEABLE', @@ -322,6 +334,8 @@ rspamd_config:register_dependency('CHECK_REPLYTO', 'CHECK_FROM') local check_mime_id = rspamd_config:register_symbol{ name = 'CHECK_MIME', type = 'callback', + group = 'headers', + score = 0.0, callback = function(task) local parts = task:get_parts() if not parts then return false end @@ -420,6 +434,7 @@ rspamd_config.PREVIOUSLY_DELIVERED = { end end, description = 'Message either to a list or was forwarded', + group = 'headers', score = 0.0 } rspamd_config.BROKEN_HEADERS = { @@ -612,6 +627,8 @@ rspamd_config.FAKE_REPLY = { local check_from_id = rspamd_config:register_symbol{ name = 'CHECK_FROM', type = 'callback', + score = 0.0, + group = 'headers', callback = function(task) local envfrom = task:get_from(1) local from = task:get_from(2) @@ -735,6 +752,8 @@ rspamd_config:register_symbol{ local check_to_cc_id = rspamd_config:register_symbol{ name = 'CHECK_TO_CC', type = 'callback', + score = 0.0, + group = 'headers', callback = function(task) local rcpts = task:get_recipients(1) local to = task:get_recipients(2) diff --git a/rules/html.lua b/rules/html.lua index c324b9de1..da4ef1d13 100644 --- a/rules/html.lua +++ b/rules/html.lua @@ -171,6 +171,7 @@ rspamd_config.R_SUSPICIOUS_IMAGES = { local vis_check_id = rspamd_config:register_symbol{ name = 'HTML_VISIBLE_CHECKS', type = 'callback', + group = 'html', callback = function(task) --local logger = require "rspamd_logger" local tp = task:get_text_parts() -- get text parts in a message diff --git a/rules/mid.lua b/rules/mid.lua index d89f217da..60df4bd1f 100644 --- a/rules/mid.lua +++ b/rules/mid.lua @@ -67,8 +67,13 @@ local function mid_check_func(task) end -- MID checks from Steve Freegard -local check_mid_id = rspamd_config:register_callback_symbol('CHECK_MID', 1.0, - mid_check_func) +local check_mid_id = rspamd_config:register_symbol({ + name = 'CHECK_MID', + score = 0.0, + group = 'mid', + type = 'callback', + callback = mid_check_func +}) rspamd_config:register_virtual_symbol('MID_BARE_IP', 1.0, check_mid_id) rspamd_config:set_metric_symbol('MID_BARE_IP', 2.0, 'Message-ID RHS is a bare IP address', 'default', 'Message ID') rspamd_config:register_virtual_symbol('MID_RHS_NOT_FQDN', 1.0, check_mid_id) diff --git a/rules/misc.lua b/rules/misc.lua index fe5325d46..3494d26ca 100644 --- a/rules/misc.lua +++ b/rules/misc.lua @@ -190,6 +190,7 @@ rspamd_config.ENVFROM_VERP = { local check_rcvd = rspamd_config:register_symbol{ name = 'CHECK_RCVD', + group = 'headers', callback = function (task) local rcvds = task:get_received_headers() if not rcvds then return false end @@ -521,6 +522,7 @@ local check_from_display_name = rspamd_config:register_symbol{ end return false end, + group = 'headers', } rspamd_config:register_symbol{ diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua index 46a192978..47af04eec 100644 --- a/rules/regexp/compromised_hosts.lua +++ b/rules/regexp/compromised_hosts.lua @@ -51,7 +51,8 @@ rspamd_config.HAS_X_AS = { end end, description = 'Has X-Authenticated-Sender header', - group = "compromised_hosts" + group = "compromised_hosts", + score = 0.0 } -- X-Get-Message-Sender-Via: accord.host-care.com: authenticated_id: sales@cortaflex.si @@ -69,7 +70,8 @@ rspamd_config.HAS_X_GMSV = { end end, description = 'Has X-Get-Message-Sender-Via: header', - group = "compromised_hosts" + group = "compromised_hosts", + score = 0.0, } -- X-AntiAbuse: This header was added to track abuse, please include it with any abuse report diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index 4889c0e7f..bd286b764 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -31,7 +31,7 @@ reconf['SUBJECT_NEEDS_ENCODING'] = { re = string.format('!(%s) & !(%s) & (%s)', subject_encoded_b64, subject_encoded_qp, subject_needs_mime), score = 1.0, description = 'Subject needs encoding', - group = 'header' + group = 'headers' } local from_encoded_b64 = 'From=/=\\?\\S+\\?B\\?/iX' @@ -41,7 +41,7 @@ reconf['FROM_NEEDS_ENCODING'] = { re = string.format('!(%s) & !(%s) & (%s)', from_encoded_b64, from_encoded_qp, raw_from_needs_mime), score = 1.0, description = 'From header needs encoding', - group = 'header' + group = 'headers' } local to_encoded_b64 = 'To=/=\\?\\S+\\?B\\?/iX' @@ -51,7 +51,7 @@ reconf['TO_NEEDS_ENCODING'] = { re = string.format('!(%s) & !(%s) & (%s)', to_encoded_b64, to_encoded_qp, raw_to_needs_mime), score = 1.0, description = 'To header needs encoding', - group = 'header' + group = 'headers' } -- Detects that there is no space in From header (e.g. Some Name<some@host>) @@ -59,14 +59,14 @@ reconf['R_NO_SPACE_IN_FROM'] = { re = 'From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X', score = 1.0, description = 'No space in from header', - group = 'header' + group = 'headers' } reconf['TO_WRAPPED_IN_SPACES'] = { re = [[To=/<\s[-.\w]+\@[-.\w]+\s>/X]], score = 2.0, description = 'To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)', - group = 'header' + group = 'headers' } -- Detects missing Subject header @@ -74,13 +74,13 @@ reconf['MISSING_SUBJECT'] = { re = '!raw_header_exists(Subject)', score = 2.0, description = 'Subject header is missing', - group = 'header' + group = 'headers' } rspamd_config.EMPTY_SUBJECT = { score = 1.0, description = 'Subject header is empty', - group = 'header', + group = 'headers', callback = function(task) local hdr = task:get_header('Subject') if hdr and #hdr == 0 then @@ -95,7 +95,7 @@ reconf['MISSING_TO'] = { re = '!raw_header_exists(To)', score = 2.0, description = 'To header is missing', - group = 'header' + group = 'headers' } -- Detects undisclosed recipients @@ -104,7 +104,7 @@ reconf['R_UNDISC_RCPT'] = { re = string.format('(%s)', undisc_rcpt), score = 3.0, description = 'Recipients are absent or undisclosed', - group = 'header' + group = 'headers' } -- Detects missing Message-Id @@ -113,7 +113,7 @@ reconf['MISSING_MID'] = { re = '!header_exists(Message-Id)', score = 2.5, description = 'Message id is missing', - group = 'header' + group = 'headers' } -- Received seems to be fake @@ -121,7 +121,7 @@ reconf['R_RCVD_SPAMBOTS'] = { re = 'Received=/^from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by [-.\\w+]{5,255}; [SMTWF][a-z][a-z], [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4} \\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH', score = 3.0, description = 'Spambots signatures in received headers', - group = 'header' + group = 'headers' } -- Charset is missing in message @@ -130,7 +130,7 @@ reconf['R_MISSING_CHARSET'] = { 'compare_transfer_encoding(7bit)'), score = 2.5, description = 'Charset is missing in a message', - group = 'header' + group = 'headers' } -- Subject seems to be spam @@ -138,7 +138,7 @@ reconf['R_SAJDING'] = { re = 'Subject=/\\bsajding(?:om|a)?\\b/iH', score = 8.0, description = 'Subject seems to be spam', - group = 'header' + group = 'headers' } -- Find forged Outlook MUA @@ -151,7 +151,7 @@ reconf['FORGED_OUTLOOK_HTML'] = { re = string.format('!%s & %s & %s', yahoo_bulk, outlook_mua, 'has_only_html_part()'), score = 5.0, description = 'Forged outlook HTML signature', - group = 'header' + group = 'headers' } -- Recipients seems to be likely with each other (only works when recipients count is more than 5 recipients) @@ -159,7 +159,7 @@ reconf['SUSPICIOUS_RECIPS'] = { re = 'compare_recipients_distance(0.65)', score = 1.5, description = 'Recipients seems to be autogenerated (works if recipients count is more than 5)', - group = 'header' + group = 'headers' } -- Recipients list seems to be sorted @@ -167,7 +167,7 @@ reconf['SORTED_RECIPS'] = { re = 'is_recipients_sorted()', score = 3.5, description = 'Recipients list seems to be sorted', - group = 'header' + group = 'headers' } -- Spam string at the end of message to make statistics faults @@ -175,7 +175,7 @@ reconf['TRACKER_ID'] = { re = '/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr', score = 3.84, description = 'Spam string at the end of message to make statistics fault', - group = 'header' + group = 'headers' } -- From contains only 7bit characters (parsed headers are used) @@ -335,7 +335,7 @@ reconf['FORGED_OUTLOOK_TAGS'] = { tag_exists_meta, tag_exists_body), score = 2.1, description = "Message pretends to be send from Outlook but has 'strange' tags", - group = 'header' + group = 'headers' } -- Forged OE/MSO boundary @@ -504,7 +504,7 @@ reconf['INVALID_MSGID'] = { re = string.format('(%s) & !((%s) | (%s))', has_mid, sane_msgid, msgid_comment), score = 1.7, description = 'Message id is incorrect', - group = 'header' + group = 'headers' } @@ -518,7 +518,7 @@ reconf['MIME_HEADER_CTYPE_ONLY'] = { re = string.format('!(%s) & !(%s) & (%s) & !(%s) & !(%s)', cd, cte, ct, mime_version, ct_text_plain), score = 2.0, description = 'Only Content-Type header without other MIME headers', - group = 'header' + group = 'headers' } @@ -530,7 +530,7 @@ reconf['RATWARE_MS_HASH'] = { re = string.format('(%s) & !(%s) & !(%s)', msgid_dollars_ok, mimeole_ms, rcvd_with_exchange), score = 2.0, description = 'Forged Exchange messages', - group = 'header' + group = 'headers' } -- Reply-type in content-type @@ -538,7 +538,7 @@ reconf['STOX_REPLY_TYPE'] = { re = 'Content-Type=/text\\/plain; .* reply-type=original/H', score = 1.0, description = 'Reply-type in content-type', - group = 'header' + group = 'headers' } -- Fake Verizon headers @@ -548,7 +548,7 @@ reconf['FM_FAKE_HELO_VERIZON'] = { re = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon), score = 2.0, description = 'Fake helo for verizon provider', - group = 'header' + group = 'headers' } -- Forged yahoo msgid @@ -558,7 +558,7 @@ reconf['FORGED_MSGID_YAHOO'] = { re = string.format('(%s) & !(%s)', at_yahoo_msgid, from_yahoo_com), score = 2.0, description = 'Forged yahoo msgid', - group = 'header' + group = 'headers' } -- Forged The Bat! MUA headers @@ -570,7 +570,7 @@ reconf['FORGED_MUA_THEBAT_BOUN'] = { re = string.format('(%s) & (%s) & !(%s) & !(%s)', thebat_mua_v1, ctype_has_boundary, bat_boundary, mailman_21), score = 2.0, description = 'Forged The Bat! MUA headers', - group = 'header' + group = 'headers' } -- Detect Mail.Ru web-mail @@ -580,7 +580,7 @@ reconf['MAIL_RU_MAILER'] = { re = string.format('(%s) & (%s)', xm_mail_ru_mailer_1_0, rcvd_e_mail_ru), score = 0.0, description = 'Sent with Mail.Ru web-mail', - group = 'header' + group = 'headers' } -- Detect yandex.ru web-mail @@ -590,7 +590,7 @@ reconf['YANDEX_RU_MAILER'] = { re = string.format('(%s) & (%s)', xm_yandex_ru_mailer_5_0, rcvd_web_yandex_ru), score = 0.0, description = 'Sent with yandex.ru web-mail', - group = 'header' + group = 'headers' } -- Detect 1C v8.2 and v8.3 mailers @@ -598,7 +598,7 @@ reconf['MAILER_1C_8'] = { re = 'X-Mailer=/^1C:Enterprise 8\\.[23]$/H', score = 0.0, description = 'Sent with 1C:Enterprise 8', - group = 'header' + group = 'headers' } -- Detect rogue 'strongmail' MTA with IPv4 and '(-)' in Received line @@ -606,7 +606,7 @@ reconf['STRONGMAIL'] = { re = [[Received=/^from\s+strongmail\s+\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\) by \S+ \(-\); /mH]], score = 6.0, description = 'Sent via rogue "strongmail" MTA', - group = 'header' + group = 'headers' } -- Two received headers with ip addresses @@ -616,7 +616,7 @@ reconf['RCVD_DOUBLE_IP_SPAM'] = { re = string.format('(%s) | (%s)', double_ip_spam_1, double_ip_spam_2), score = 2.0, description = 'Two received headers with ip addresses', - group = 'header' + group = 'headers' } -- Quoted reply-to from yahoo (seems to be forged) @@ -625,7 +625,7 @@ reconf['REPTO_QUOTE_YAHOO'] = { re = string.format('(%s) & ((%s) | (%s))', repto_quote, from_yahoo_com, at_yahoo_msgid), score = 2.0, description = 'Quoted reply-to from yahoo (seems to be forged)', - group = 'header' + group = 'headers' } -- MUA definitions @@ -665,7 +665,7 @@ reconf['MISSING_MIMEOLE'] = { has_office_version_in_mailer), score = 2.0, description = 'Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)', - group = 'header' + group = 'headers' } -- Header delimiters @@ -685,31 +685,31 @@ reconf['HEADER_FROM_DELIMITER_TAB'] = { re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(From)', yandex), score = 1.0, description = 'Header From begins with tab', - group = 'header' + group = 'headers' } reconf['HEADER_TO_DELIMITER_TAB'] = { re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(To)', yandex), score = 1.0, description = 'Header To begins with tab', - group = 'header' + group = 'headers' } reconf['HEADER_CC_DELIMITER_TAB'] = { re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(Cc)', yandex), score = 1.0, description = 'Header To begins with tab', - group = 'header' + group = 'headers' } reconf['HEADER_REPLYTO_DELIMITER_TAB'] = { re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(Reply-To)', yandex), score = 1.0, description = 'Header Reply-To begins with tab', - group = 'header' + group = 'headers' } reconf['HEADER_DATE_DELIMITER_TAB'] = { re = string.format('(%s) & !(%s)', 'check_header_delimiter_tab(Date)', yandex), score = 1.0, description = 'Header Date begins with tab', - group = 'header' + group = 'headers' } -- Empty delimiters between header names and header values function check_header_delimiter_empty(task, header_name) @@ -722,31 +722,31 @@ reconf['HEADER_FROM_EMPTY_DELIMITER'] = { re = string.format('(%s)', 'check_header_delimiter_empty(From)'), score = 1.0, description = 'Header From has no delimiter between header name and header value', - group = 'header' + group = 'headers' } reconf['HEADER_TO_EMPTY_DELIMITER'] = { re = string.format('(%s)', 'check_header_delimiter_empty(To)'), score = 1.0, description = 'Header To has no delimiter between header name and header value', - group = 'header' + group = 'headers' } reconf['HEADER_CC_EMPTY_DELIMITER'] = { re = string.format('(%s)', 'check_header_delimiter_empty(Cc)'), score = 1.0, description = 'Header Cc has no delimiter between header name and header value', - group = 'header' + group = 'headers' } reconf['HEADER_REPLYTO_EMPTY_DELIMITER'] = { re = string.format('(%s)', 'check_header_delimiter_empty(Reply-To)'), score = 1.0, description = 'Header Reply-To has no delimiter between header name and header value', - group = 'header' + group = 'headers' } reconf['HEADER_DATE_EMPTY_DELIMITER'] = { re = string.format('(%s)', 'check_header_delimiter_empty(Date)'), score = 1.0, description = 'Header Date has no delimiter between header name and header value', - group = 'header' + group = 'headers' } -- Definitions of received headers regexp @@ -754,7 +754,7 @@ reconf['RCVD_ILLEGAL_CHARS'] = { re = 'Received=/[\\x80-\\xff]/X', score = 4.0, description = 'Header Received has raw illegal character', - group = 'header' + group = 'headers' } local MAIL_RU_Return_Path = 'Return-path=/^\\s*<.+\\@mail\\.ru>$/iX' @@ -766,7 +766,7 @@ reconf['FAKE_RECEIVED_mail_ru'] = { re = string.format('(%s) & !(((%s) | (%s)) & (%s))', MAIL_RU_Received, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, MAIL_RU_From), score = 4.0, description = 'Fake helo mail.ru in header Received from non mail.ru sender address', - group = 'header' + group = 'headers' } local GMAIL_COM_Return_Path = 'Return-path=/^\\s*<.+\\@gmail\\.com>$/iX' @@ -791,70 +791,70 @@ reconf['FAKE_RECEIVED_smtp_yandex_ru'] = { re = string.format('(((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s))) | ((%s) & ((%s) | (%s)))) & (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s)', MAIL_RU_From, MAIL_RU_Return_Path, MAIL_RU_X_Envelope_From, GMAIL_COM_From, GMAIL_COM_Return_Path, GMAIL_COM_X_Envelope_From, UKR_NET_From, UKR_NET_Return_Path, UKR_NET_X_Envelope_From, RECEIVED_smtp_yandex_ru_1, RECEIVED_smtp_yandex_ru_2, RECEIVED_smtp_yandex_ru_3, RECEIVED_smtp_yandex_ru_4, RECEIVED_smtp_yandex_ru_5, RECEIVED_smtp_yandex_ru_6, RECEIVED_smtp_yandex_ru_7, RECEIVED_smtp_yandex_ru_8, RECEIVED_smtp_yandex_ru_9), score = 4.0, description = 'Fake smtp.yandex.ru Received', - group = 'header' + group = 'headers' } reconf['FORGED_GENERIC_RECEIVED'] = { re = 'Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by (([\\w\\d-]+\\.)+[a-zA-Z]{2,6}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}); \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X', score = 3.6, description = 'Forged generic Received', - group = 'header' + group = 'headers' } reconf['FORGED_GENERIC_RECEIVED2'] = { re = 'Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by ([\\w\\d-]+\\.)+[a-z]{2,6} id [\\w\\d]{12}; \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X', score = 3.6, description = 'Forged generic Received', - group = 'header' + group = 'headers' } reconf['FORGED_GENERIC_RECEIVED3'] = { re = 'Received=/^\\s*(.+\\n)*by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with SMTP id [a-zA-Z]{14}\\.\\d{13};[\\r\\n\\s]*\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0 \\(GMT\\)/X', score = 3.6, description = 'Forged generic Received', - group = 'header' + group = 'headers' } reconf['FORGED_GENERIC_RECEIVED4'] = { re = 'Received=/^\\s*(.+\\n)*from localhost by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0[\\s\\r\\n]*$/X', score = 3.6, description = 'Forged generic Received', - group = 'header' + group = 'headers' } reconf['INVALID_POSTFIX_RECEIVED'] = { re = 'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X', score = 3.0, description = 'Invalid Postfix Received', - group = 'header' + group = 'headers' } reconf['X_PHP_FORGED_0X'] = { re = "X-PHP-Originating-Script=/^0\\d/X", score = 4.0, description = "X-PHP-Originating-Script header appears forged", - group = 'header' + group = 'headers' } reconf['GOOGLE_FORWARDING_MID_MISSING'] = { re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X", score = 2.5, description = "Message was missing Message-ID pre-forwarding", - group = 'header' + group = 'headers' } reconf['GOOGLE_FORWARDING_MID_BROKEN'] = { re = "Message-ID=/SMTPIN_ADDED_BROKEN\\@mx\\.google\\.com>$/X", score = 1.7, description = "Message had invalid Message-ID pre-forwarding", - group = 'header' + group = 'headers' } reconf['CTE_CASE'] = { re = 'Content-Transfer-Encoding=/^[78]B/X', description = '[78]Bit .vs. [78]bit', score = 0.5, - group = 'header' + group = 'headers' } reconf['HAS_INTERSPIRE_SIG'] = { @@ -866,14 +866,14 @@ reconf['HAS_INTERSPIRE_SIG'] = { 'List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi'), description = "Has Interspire fingerprint", score = 1.0, - group = 'header' + group = 'headers' } reconf['CT_EXTRA_SEMI'] = { re = 'Content-Type=/;$/X', description = 'Content-Type ends with a semi-colon', score = 1.0, - group = 'header' + group = 'headers' } reconf['SUBJECT_ENDS_EXCLAIM'] = { |