[Feature] Rule to identify some X-PHP-Script forgeries

diff --git a/rules/misc.lua b/rules/misc.lua
index 2a14a14938e258e7a1f1c366b015fe0fb529ede5..fa06e142e27578c73c681cc30829840113fc262e 100644 (file)
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -397,3 +397,21 @@ rspamd_config.MISSING_FROM = {
     group = 'header',
     description = 'Missing From: header'
 }
+
+rspamd_config.FORGED_X_PHP_SCRIPT1 = {
+  callback = function (task)
+    local hdr = task:get_header('X-PHP-Script', true)
+    if not hdr then return end
+    local re_txt = ' for (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}), (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})'
+    local re = rspamd_regexp.get_cached(re_txt)
+    if not re then
+      re = rspamd_regexp.create_cached(re_txt)
+    end
+    local m = re:search(hdr, true, true)
+    if not m and m[2] and m[3] then return end
+    return m[2] == m[3]
+  end,
+  score = 4.0,
+  description = 'X-PHP-Script header appears forged',
+  group = 'header'
+}