[Minor] Make HAS_PHPMAILER_SIG regexps more specific

Use stricter regexp to avoid false matches.
author: Anton Yuzhaninov <citrin+git@citrin.ru> 2021-04-27 16:23:44 +0100
committer: Anton Yuzhaninov <citrin+git@citrin.ru> 2021-04-27 16:53:22 +0100
commit: b3d5173446073c34730db64360ca7454f42810a3 (patch)
tree: 7211471eb31f9dfe4b3ad984bc2689f76a02d5fc /rules
parent: 755077b555ee224a1655308cc2b3fa8aa9741bfb (diff)
download: rspamd-b3d5173446073c34730db64360ca7454f42810a3.tar.gz
rspamd-b3d5173446073c34730db64360ca7454f42810a3.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 6ad2e6b93..97d80853e 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -3,7 +3,13 @@ local rspamd_regexp = require 'rspamd_regexp'
 local util = require 'rspamd_util'
 
 reconf['HAS_PHPMAILER_SIG'] = {
-  re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",
+  -- PHPMailer 6.0.0 and older used hex hash in boundary:
+  -- boundary="b1_2a45d5e29f78d3408e318878b049f474"
+  -- Since 6.0.1 it uses base64 (without =+/):
+  -- boundary="b1_uBN0UPD3n6RU04VPxI54tENiDgaCGoh15l9s73oFnlM"
+  -- boundary="b1_Ez5tmpb4bSqknyUZ1B1hIvLAfR1MlspDEKGioCOXc"
+  -- https://github.com/PHPMailer/PHPMailer/blob/v6.4.0/src/PHPMailer.php#L2660
+  re = [[X-Mailer=/^PHPMailer /H || Content-Type=/boundary="b1_[0-9a-zA-Z]+"/H]],
   description = "PHPMailer signature",
   group = "compromised_hosts"
 }
author	Anton Yuzhaninov <citrin+git@citrin.ru>	2021-04-27 16:23:44 +0100
committer	Anton Yuzhaninov <citrin+git@citrin.ru>	2021-04-27 16:53:22 +0100
commit	b3d5173446073c34730db64360ca7454f42810a3 (patch)
tree	7211471eb31f9dfe4b3ad984bc2689f76a02d5fc /rules
parent	755077b555ee224a1655308cc2b3fa8aa9741bfb (diff)
download	rspamd-b3d5173446073c34730db64360ca7454f42810a3.tar.gz rspamd-b3d5173446073c34730db64360ca7454f42810a3.zip