[Feature] Add rule for identifying mail sent by eval()'d PHP code

author: Andrew Lewis <nerf@judo.za.org> 2016-08-19 16:57:58 +0200
committer: Andrew Lewis <nerf@judo.za.org> 2016-08-19 16:57:58 +0200
commit: c450ebf40ca4c87c592ca02856af6050f26c6dc9 (patch)
tree: 5e4cb18a5f2d20a4cad7d7c8389d39300840ea77 /rules/regexp
parent: 6d59a0c87c8b75195c996b5b2dc580c5abb84561 (diff)
download: rspamd-c450ebf40ca4c87c592ca02856af6050f26c6dc9.tar.gz
rspamd-c450ebf40ca4c87c592ca02856af6050f26c6dc9.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index afd0633cd..8f6e47ee9 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -434,3 +434,10 @@ reconf['FORGED_GENERIC_RECEIVED4'] =	'Received=/^\\s*(.+\\n)*from localhost by \
 reconf['FORGED_GENERIC_RECEIVED5'] = 'Received=/\\s*from \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\].*\\n(.+\\n)*\\s*from \\1 by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0$/X'
 
 reconf['INVALID_POSTFIX_RECEIVED'] =	'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X'
+
+reconf['X_PHP_EVAL'] = {
+  re = "X-PHP-Originating-Script=/\\s:\\seval\\(\\)'d code$/X",
+  score = 4.0,
+  description = "Message sent by eval()'d php code",
+  group = 'header'
+}
author	Andrew Lewis <nerf@judo.za.org>	2016-08-19 16:57:58 +0200
committer	Andrew Lewis <nerf@judo.za.org>	2016-08-19 16:57:58 +0200
commit	c450ebf40ca4c87c592ca02856af6050f26c6dc9 (patch)
tree	5e4cb18a5f2d20a4cad7d7c8389d39300840ea77 /rules/regexp
parent	6d59a0c87c8b75195c996b5b2dc580c5abb84561 (diff)
download	rspamd-c450ebf40ca4c87c592ca02856af6050f26c6dc9.tar.gz rspamd-c450ebf40ca4c87c592ca02856af6050f26c6dc9.zip