From: Andrew Lewis <nerf@judo.za.org>
Date: Mon, 3 Oct 2016 10:53:51 +0000 (+0200)
Subject: [Feature] Rule to identify some X-PHP-Script forgeries
X-Git-Tag: 1.4.0~331^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F999%2Fhead;p=thirdparty%2Frspamd.git

[Feature] Rule to identify some X-PHP-Script forgeries
---

diff --git a/rules/misc.lua b/rules/misc.lua
index 2a14a14938..fa06e142e2 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -397,3 +397,21 @@ rspamd_config.MISSING_FROM = {
     group = 'header',
     description = 'Missing From: header'
 }
+
+rspamd_config.FORGED_X_PHP_SCRIPT1 = {
+  callback = function (task)
+    local hdr = task:get_header('X-PHP-Script', true)
+    if not hdr then return end
+    local re_txt = ' for (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}), (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})'
+    local re = rspamd_regexp.get_cached(re_txt)
+    if not re then
+      re = rspamd_regexp.create_cached(re_txt)
+    end
+    local m = re:search(hdr, true, true)
+    if not m and m[2] and m[3] then return end
+    return m[2] == m[3]
+  end,
+  score = 4.0,
+  description = 'X-PHP-Script header appears forged',
+  group = 'header'
+}