aboutsummaryrefslogtreecommitdiffstats
path: root/rules
diff options
context:
space:
mode:
authortwesterhever <40121680+twesterhever@users.noreply.github.com>2024-04-28 09:44:07 +0000
committertwesterhever <40121680+twesterhever@users.noreply.github.com>2024-04-28 09:44:07 +0000
commitce23345c5de784d0ebc9bdbbcc497f34ba3af065 (patch)
treefe983d1a0039e2e2ac9a7396ff1c0db28cb87628 /rules
parent3e1c8da3e97ae1eaf2bb37ad9ef7c96c318baae7 (diff)
downloadrspamd-ce23345c5de784d0ebc9bdbbcc497f34ba3af065.tar.gz
rspamd-ce23345c5de784d0ebc9bdbbcc497f34ba3af065.zip
[Enhancement] Catch "Mail message body" Content-Description
This header frequently surfaces in spam, mostly advance fee fraud.
Diffstat (limited to 'rules')
-rw-r--r--rules/regexp/headers.lua7
1 files changed, 7 insertions, 0 deletions
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index f7e23501c..7397ed84b 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -910,6 +910,13 @@ reconf['HAS_CD_HEADER'] = {
group = 'headers'
}
+reconf['CD_MM_BODY'] = {
+ re = 'Content-Description=/Mail message body/Hi',
+ description = 'Content-Description header reads "Mail message body", commonly seen in spam',
+ score = 2.0,
+ group = 'headers'
+}
+
reconf['X_PHPOS_FAKE'] = {
re = 'X-PHP-Originating-Script=/^\\d{7}:/Hi',
description = 'Fake X-PHP-Originating-Script header',