policy = "leave";
}
COMPROMISED_ACCT_BULK {
- expression = "HAS_XOIP & DCC_BULK";
- description = "Likely to be from a compromised webmail account";
+ expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
+ description = "Likely to be from a compromised account";
score = 3.0;
+ policy = "leave";
}
UNDISC_RCPTS_BULK {
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
description = "Missing or undisclosed recipients with a bulk signature";
score = 3.0;
+ policy = "leave";
}
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
local parsed = util.parse_mail_address(from[1].name)
if not parsed then return false end
if not (parsed[1] and parsed[1]['addr']) then return false end
+ if parsed[1]['domain'] == nil or parsed[1]['domain'] == '' then return false end
-- See if the parsed domains differ
if not util.strequal_caseless(from[1]['domain'], parsed[1]['domain']) then
-- See if the destination domain is the same as the spoof
local to = task:get_recipients(2)
- -- Be careful with undisclosed-recipients:; as domain will be an empty string
- if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then
+ if not (to and to[1] and to[1]['domain']) then
+ -- Be careful with undisclosed-recipients:; as domain will be an empty string
+ if to[1]['domain'] == nil or to[1]['domain'] == '' then return false end
task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
return false
end
score = 0.0,
group = 'headers'
}
+
+reconf['RCVD_VIA_SMTP_AUTH'] = {
+ re = "Received=/\\bE?SMTPS?A\\b/ || Received=/\\bauthenticated\\b/i",
+ description = "Recieved using SMTP AUTH",
+ score = 0,
+ group = 'headers'
+}
+
projects / rspamd.git / commitdiff