[Minor] Suppress base64 symbols for mails sent with 1C v8

diff --git a/conf/composites.conf b/conf/composites.conf
index ee764a9ff2a74398bc4fe62c773063d607495913..26496e3ff871d1294f1cad256b5450b365606d35 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -60,6 +60,9 @@ composites {
     YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
         expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
     }
+    MAILER_1C_8_BASE64 {
+        expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+    }
     HACKED_WP_PHISHING {
         expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
         policy = "leave";

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 4d9d2c77df7216dd6f67b17f8ee4e480446a6da1..b375f6598d51d694388c9331c98f84a7882b371a 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -572,6 +572,14 @@ reconf['YANDEX_RU_MAILER'] = {
   group = 'header'
 }
 
+-- Detect 1C v8.2 and v8.3 mailers
+reconf['MAILER_1C_8'] = {
+    re = 'X-Mailer=/^1C:Enterprise 8\\.[23]$/H',
+    score = 0,
+    description = 'Sent with 1C:Enterprise 8',
+    group = 'header'
+}
+
 -- Two received headers with ip addresses
 local double_ip_spam_1 = 'Received=/from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H'
 local double_ip_spam_2 = 'Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H'