From: Andrew Lewis <nerf@judo.za.org>
Date: Wed, 9 Nov 2016 13:20:34 +0000 (+0200)
Subject: [Feature] Rule to detect some obvious X-PHP-Originating-Script forgeries
X-Git-Tag: 1.4.0~97^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F1114%2Fhead;p=thirdparty%2Frspamd.git

[Feature] Rule to detect some obvious X-PHP-Originating-Script forgeries
---

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 6b43c2f059..56f7106500 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -790,6 +790,13 @@ reconf['X_PHP_EVAL'] = {
   group = 'header'
 }
 
+reconf['X_PHP_FORGED_0X'] = {
+  re = "X-PHP-Originating-Script=/^0\\d/X",
+  score = 4.0,
+  description = "X-PHP-Originating-Script header appears forged",
+  group = 'header'
+}
+
 reconf['GOOGLE_FORWARDING_MID_MISSING'] = {
   re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X",
   score = 2.5,