improve composite rules for phish messages

diff --git a/conf/composites.conf b/conf/composites.conf
index 24f198aacb2ccdf4f22ef55a2d5b5b5e1c0b2099..12f44599054ba2f888cdc274b97066143fba4c7f 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -68,7 +68,7 @@ composites {
         expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
     }
     HACKED_WP_PHISHING {
-        expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
         description = "Phish message sent by hacked Wordpress instance";
         policy = "leave";
     }
@@ -105,7 +105,7 @@ composites {
         score = 1.0;
     }
     PHISH_EMOTION {
-        expression = "(HACKED_WP_PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+        expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
         description = "Phish message with subject trying to address users emotion";
         score = 2.0;
     }