commit b3d5173: [Minor] Make HAS_PHPMAILER_SIG regexps more specific
Anton Yuzhaninov
citrin+git at citrin.ru
Wed Apr 28 11:35:03 UTC 2021
Author: Anton Yuzhaninov
Date: 2021-04-27 16:23:44 +0100
URL: https://github.com/rspamd/rspamd/commit/b3d5173446073c34730db64360ca7454f42810a3
[Minor] Make HAS_PHPMAILER_SIG regexps more specific
Use stricter regexp to avoid false matches.
---
rules/regexp/compromised_hosts.lua | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 6ad2e6b93..97d80853e 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -3,7 +3,13 @@ local rspamd_regexp = require 'rspamd_regexp'
local util = require 'rspamd_util'
reconf['HAS_PHPMAILER_SIG'] = {
- re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi",
+ -- PHPMailer 6.0.0 and older used hex hash in boundary:
+ -- boundary="b1_2a45d5e29f78d3408e318878b049f474"
+ -- Since 6.0.1 it uses base64 (without =+/):
+ -- boundary="b1_uBN0UPD3n6RU04VPxI54tENiDgaCGoh15l9s73oFnlM"
+ -- boundary="b1_Ez5tmpb4bSqknyUZ1B1hIvLAfR1MlspDEKGioCOXc"
+ -- https://github.com/PHPMailer/PHPMailer/blob/v6.4.0/src/PHPMailer.php#L2660
+ re = [[X-Mailer=/^PHPMailer /H || Content-Type=/boundary="b1_[0-9a-zA-Z]+"/H]],
description = "PHPMailer signature",
group = "compromised_hosts"
}
More information about the Commits
mailing list