expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
score = 2.0;
+ policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_MED {
- expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_MED";
+ expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
- score = -1.5;
+ score = -0.5;
+ policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_HI {
- expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_HI";
+ expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
- score = -3.5;
+ score = -1.0;
+ policy = "leave";
}
+ AUTOGEN_PHP_SPAMMY {
+ expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+ description = "Message was generated by PHP script and contains some spam indicators";
+ score = 1.0;
+ }
+ PHISH_EMOTION {
+ expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+ description = "Phish message with subject trying to address users emotion";
+ score = 2.0;
+ }
+ HAS_ANON_DOMAIN {
+ expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR";
+ description = "Contains one or more domains trying to disguise owner/destination";
+ score = 0.5;
+ }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"