From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Mon, 17 Jun 2019 16:57:21 +0000 (+0100)
Subject: [Rules] Add more detection to LEAKED_PASSWORD_SCAM
X-Git-Tag: 2.0~765
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74889ceafbb4756dc331577db7864279f23fa64f;p=thirdparty%2Frspamd.git

[Rules] Add more detection to LEAKED_PASSWORD_SCAM
---

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index ece856c963..6b1f58a4b0 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -69,11 +69,13 @@ local btc_wallet_address = [[/^[13][1-9A-Za-z]{25,34}$/]]
 local wallet_word = [[/^wallet$/{words}]]
 local broken_unicode = [[has_flag(bad_unicode)]]
 local list_unsub = [[header_exists(List-Unsubscribe)]]
+local x_php_origin = [[header_exists(X-PHP-Originating-Script)]]
 
 reconf['LEAKED_PASSWORD_SCAM'] = {
-  re = string.format('%s{words} & (%s | %s | %s | %s | %s | %s | %s | lua:check_data_images)',
+  re = string.format('%s{words} & (%s | %s | %s | %s | %s | %s | %s | %s | %s)',
       btc_wallet_address, password_in_words, wallet_word,
-      my_victim, your_webcam, your_onan, broken_unicode, list_unsub),
+      my_victim, your_webcam, your_onan, broken_unicode, 'lua:check_data_images',
+      list_unsub, x_php_origin),
   description = 'Contains password word and BTC wallet address',
   functions = {
     check_data_images = function(task)