commit 7c00342: [Rules] Extend FORGED_X_MAILER
Anton Yuzhaninov
citrin+git at citrin.ru
Sun May 23 20:56:03 UTC 2021
Author: Anton Yuzhaninov
Date: 2021-05-22 15:13:08 +0100
URL: https://github.com/rspamd/rspamd/commit/7c00342f851748426b799493e9f0f310d7ec2515
[Rules] Extend FORGED_X_MAILER
Match in FORGED_X_MAILER fake iPhone Mail header with a random string in
place of iOS build number, e. g. iPhone Mail (WKN0M)
---
rules/regexp/headers.lua | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index a9ab6c975..26762b06e 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -983,14 +983,21 @@ local bad_x_mailers = {
-- Mozilla Thunderbird 1.0.2 (Windows/20050317)
-- Thunderbird 2.0.0.23 (X11/20090812)
[[(?:Mozilla )?Thunderbird \d]],
- -- Was used by Yahoo Groups in 2000s
+ -- Was used by Yahoo Groups in 2000s, no one expected to use this in 2020s
[[eGroups Message Poster]],
+ -- Regexp for genuene iOS X-Mailer is below, anything which doesn't match it,
+ -- but starts with 'iPhone Mail' or 'iPad Mail' is likely fake
+ [[i(?:Phone|Pad) Mail]],
}
+-- Apple iPhone/iPad Mail X-Mailer contains iOS build number, e. g. 9B206, 16H5, 18G5023c
+-- https://en.wikipedia.org/wiki/IOS_version_history
+local apple_ios_x_mailer = [[i(?:Phone|Pad) Mail \((?:1[AC]|[34][AB]|5[ABCFGH]|7[A-E]|8[ABCEFGHJKL]|9[AB]|\d{2}[A-Z])\d+[a-z]?\)]]
reconf['FORGED_X_MAILER'] = {
description = 'Forged X-Mailer header',
- re = string.format('X-Mailer=/^(?:%s)/{header}', table.concat(bad_x_mailers, '|')),
- score = 4.0,
+ re = string.format('X-Mailer=/^(?:%s)/{header} && !X-Mailer=/^%s/{header}',
+ table.concat(bad_x_mailers, '|'), apple_ios_x_mailer),
+ score = 4.5,
group = 'headers',
}
More information about the Commits
mailing list