diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2020-12-22 10:33:15 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-22 10:33:15 +0000 |
| commit | 9419ba3b7aaea1387cadeb782309782c10b7c08b (patch) | |
| tree | 116421670bc46a219a0492c59a82feeb518fe9d6 /rules/regexp | |
| parent | 3f7587fc5812c66f66bb1574507ba077e26e814c (diff) | |
| parent | 027453fe4a8c02b7af1bb05da5d373b19c0c0700 (diff) | |
| download | rspamd-9419ba3b7aaea1387cadeb782309782c10b7c08b.tar.gz rspamd-9419ba3b7aaea1387cadeb782309782c10b7c08b.zip | |
Merge pull request #3580 from citrin/x-mailer-rules
[Rules] X-Mailer header rules
Diffstat (limited to 'rules/regexp')
| -rw-r--r-- | rules/regexp/headers.lua | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index c47205fea..516fc1232 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -153,15 +153,6 @@ reconf['R_MISSING_CHARSET'] = { mime_only = true, } --- Subject seems to be spam -reconf['R_SAJDING'] = { - re = 'Subject=/\\bsajding(?:om|a)?\\b/iH', - score = 8.0, - description = 'Subject seems to be spam', - group = 'headers', - mime_only = true, -} - -- Find forged Outlook MUA -- Yahoo groups messages local yahoo_bulk = 'Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H' @@ -436,20 +427,9 @@ reconf['FORGED_MUA_KMAIL_MSGID_UNKNOWN'] = { local opera1x_mua = 'User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H' -- Opera Mail Message-ID template local opera1x_msgid = 'Message-ID=/^<?op\\.[a-z\\d]{14}\\@\\S+>?$/H' --- Suspicious Opera Mail User-Agent header -local suspicious_opera10w_mua = 'User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H' --- Suspicious Opera Mail Message-ID, apparently from KMail -local suspicious_opera10w_msgid = 'Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H' --- Summary rule for forged Opera Mail User-Agent header and Message-ID header from KMail -reconf['SUSPICIOUS_OPERA_10W_MSGID'] = { - re = string.format('(%s) & (%s)', suspicious_opera10w_mua, suspicious_opera10w_msgid), - score = 4.0, - description = 'Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail', - group = 'mua' -} --- Summary rule for forged Opera Mail Message-ID header +-- Rule for forged Opera Mail Message-ID header reconf['FORGED_MUA_OPERA_MSGID'] = { - re = string.format('(%s) & !(%s) & !(%s) & !(%s)', opera1x_mua, opera1x_msgid, reconf['SUSPICIOUS_OPERA_10W_MSGID']['re'], unusable_msgid), + re = string.format('(%s) & !(%s) & !(%s)', opera1x_mua, opera1x_msgid, unusable_msgid), score = 4.0, description = 'Message pretends to be send from Opera Mail but has forged Message-ID', group = 'mua' @@ -993,3 +973,23 @@ reconf['OLD_X_MAILER'] = { score = 2.0, group = 'headers', } + +-- X-Mailer header values which should not occur (in the modern mail) at all +local bad_x_mailers = { + -- header name repeated in the header value + [[X-Mailer: ]], + -- Mozilla Thunderbird uses User-Agnet header, not X-Mailer + -- Early Thunderbird had U-A like: + -- Mozilla Thunderbird 1.0.2 (Windows/20050317) + -- Thunderbird 2.0.0.23 (X11/20090812) + [[(?:Mozilla )?Thunderbird \d]], + -- Was used by Yahoo Groups in 2000s + [[eGroups Message Poster]], +} + +reconf['FORGED_X_MAILER'] = { + description = 'Forged X-Mailer header', + re = string.format('X-Mailer=/^(?:%s)/', table.concat(bad_x_mailers, '|')), + score = 4.0, + group = 'headers', +} |