[Feature] Rule to identify some X-PHP-Script forgeries

author: Andrew Lewis <nerf@judo.za.org> 2016-10-03 12:53:51 +0200
committer: Andrew Lewis <nerf@judo.za.org> 2016-10-03 12:53:51 +0200
commit: e5dc36444ba6559c2efa5a58ab873b5961baf6a4 (patch)
tree: 500d0acfa1496ac2522c8b0a9f2982752a6205d1 /rules
parent: 7ef036b635bc528eee42eebb201242e526822e95 (diff)
download: rspamd-e5dc36444ba6559c2efa5a58ab873b5961baf6a4.tar.gz
rspamd-e5dc36444ba6559c2efa5a58ab873b5961baf6a4.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/rules/misc.lua b/rules/misc.lua
index 2a14a1493..fa06e142e 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -397,3 +397,21 @@ rspamd_config.MISSING_FROM = {
     group = 'header',
     description = 'Missing From: header'
 }
+
+rspamd_config.FORGED_X_PHP_SCRIPT1 = {
+  callback = function (task)
+    local hdr = task:get_header('X-PHP-Script', true)
+    if not hdr then return end
+    local re_txt = ' for (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}), (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})'
+    local re = rspamd_regexp.get_cached(re_txt)
+    if not re then
+      re = rspamd_regexp.create_cached(re_txt)
+    end
+    local m = re:search(hdr, true, true)
+    if not m and m[2] and m[3] then return end
+    return m[2] == m[3]
+  end,
+  score = 4.0,
+  description = 'X-PHP-Script header appears forged',
+  group = 'header'
+}
author	Andrew Lewis <nerf@judo.za.org>	2016-10-03 12:53:51 +0200
committer	Andrew Lewis <nerf@judo.za.org>	2016-10-03 12:53:51 +0200
commit	e5dc36444ba6559c2efa5a58ab873b5961baf6a4 (patch)
tree	500d0acfa1496ac2522c8b0a9f2982752a6205d1 /rules
parent	7ef036b635bc528eee42eebb201242e526822e95 (diff)
download	rspamd-e5dc36444ba6559c2efa5a58ab873b5961baf6a4.tar.gz rspamd-e5dc36444ba6559c2efa5a58ab873b5961baf6a4.zip