Merge pull request #3733 from citrin/rules-updates

Rules updates

2 files changed, 9 insertions, 10 deletions

diff --git a/rules/headers_checks.lua b/rules/headers_checks.lua
index 79b8e5c2f..f0f64daff 100644
--- a/rules/headers_checks.lua
+++ b/rules/headers_checks.lua
@@ -576,15 +576,8 @@ rspamd_config.MISSING_FROM = {
 rspamd_config.MULTIPLE_FROM = {
   callback = function(task)
     local from = task:get_from('mime')
-    if from and from[1] then
-      if #from > 1 then
-        return true,1.0,table.concat(
-            fun.totable(
-                fun.map(function(a) return a.addr end,
-                    fun.filter(function(a) return a.addr and a.addr ~= '' end,
-                        from))),
-            ',')
-      end
+    if from and from[2] then
+      return true, 1.0, fun.totable(fun.map(function(a) return a.raw end, from))
     end
     return false
   end,
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 6ad2e6b93..97d80853e 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -3,7 +3,13 @@ local rspamd_regexp = require 'rspamd_regexp'
 local util = require 'rspamd_util'
 
 reconf['HAS_PHPMAILER_SIG'] = {
-  re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",
+  -- PHPMailer 6.0.0 and older used hex hash in boundary:
+  -- boundary="b1_2a45d5e29f78d3408e318878b049f474"
+  -- Since 6.0.1 it uses base64 (without =+/):
+  -- boundary="b1_uBN0UPD3n6RU04VPxI54tENiDgaCGoh15l9s73oFnlM"
+  -- boundary="b1_Ez5tmpb4bSqknyUZ1B1hIvLAfR1MlspDEKGioCOXc"
+  -- https://github.com/PHPMailer/PHPMailer/blob/v6.4.0/src/PHPMailer.php#L2660
+  re = [[X-Mailer=/^PHPMailer /H || Content-Type=/boundary="b1_[0-9a-zA-Z]+"/H]],
   description = "PHPMailer signature",
   group = "compromised_hosts"
 }