aboutsummaryrefslogtreecommitdiffstats
path: root/rules/regexp/headers.lua
diff options
context:
space:
mode:
authorAnton Yuzhaninov <citrin+git@citrin.ru>2020-12-22 13:40:40 +0000
committerAnton Yuzhaninov <citrin+git@citrin.ru>2020-12-22 14:16:12 +0000
commit38d347e23eee471bf19e78804fb0b15382c5a776 (patch)
tree62b4d7b6f763a061945d0650ff9dd2332c53362a /rules/regexp/headers.lua
parentbadadf505179068165d4bae6c0892b5eeee1a23b (diff)
downloadrspamd-38d347e23eee471bf19e78804fb0b15382c5a776.tar.gz
rspamd-38d347e23eee471bf19e78804fb0b15382c5a776.zip
[Minor] Add rule for forged X-Mailer: Internet Mail Service
Diffstat (limited to 'rules/regexp/headers.lua')
-rw-r--r--rules/regexp/headers.lua15
1 files changed, 15 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index ff16fd886..f9d613a14 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -993,3 +993,18 @@ reconf['FORGED_X_MAILER'] = {
score = 4.0,
group = 'headers',
}
+
+-- X-Mailer headers like: 'Internet Mail Service (5.5.2650.21)' are being
+-- forged by spammers, but MS Exachange 5.5 is still being used (in 2020) on
+-- some mail servers. Example of genuene headers (DC-EXMPL is a hostname which
+-- can be a FQDN):
+-- Received: by DC-EXMPL with Internet Mail Service (5.5.2656.59)
+-- id <HKH4BJQX>; Tue, 8 Dec 2020 07:10:54 -0600
+-- Message-ID: <E7209F9DB64FCC4BB1051420F0E955DD05C9D59F@DC-EXMPL>
+-- X-Mailer: Internet Mail Service (5.5.2656.59)
+reconf['FORGED_IMS'] = {
+ description = 'Forged X-Mailer: Internet Mail Service',
+ re = [[X-Mailer=/^Internet Mail Service \(5\./{header} & !Received=/^by \S+ with Internet Mail Service \(5\./{header}]]
+ score = 3.0,
+ group = 'headers',
+}