diff options
author | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2024-04-28 09:44:07 +0000 |
---|---|---|
committer | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2024-04-28 09:44:07 +0000 |
commit | ce23345c5de784d0ebc9bdbbcc497f34ba3af065 (patch) | |
tree | fe983d1a0039e2e2ac9a7396ff1c0db28cb87628 /rules | |
parent | 3e1c8da3e97ae1eaf2bb37ad9ef7c96c318baae7 (diff) | |
download | rspamd-ce23345c5de784d0ebc9bdbbcc497f34ba3af065.tar.gz rspamd-ce23345c5de784d0ebc9bdbbcc497f34ba3af065.zip |
[Enhancement] Catch "Mail message body" Content-Description
This header frequently surfaces in spam, mostly advance fee fraud.
Diffstat (limited to 'rules')
-rw-r--r-- | rules/regexp/headers.lua | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index f7e23501c..7397ed84b 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -910,6 +910,13 @@ reconf['HAS_CD_HEADER'] = { group = 'headers' } +reconf['CD_MM_BODY'] = { + re = 'Content-Description=/Mail message body/Hi', + description = 'Content-Description header reads "Mail message body", commonly seen in spam', + score = 2.0, + group = 'headers' +} + reconf['X_PHPOS_FAKE'] = { re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi', description = 'Fake X-PHP-Originating-Script header', |