[Minor] Add some missing groups to existing composite rules

author twesterhever <40121680+twesterhever@users.noreply.github.com>

Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)

committer twesterhever <40121680+twesterhever@users.noreply.github.com>

Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)
author twesterhever <40121680+twesterhever@users.noreply.github.com>
Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)
committer twesterhever <40121680+twesterhever@users.noreply.github.com>
Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)
diff --git a/conf/composites.conf b/conf/composites.conf

index 41cd7749f5528ba2bfa9bfd5df038eb07380fe9e..2526e701bdb218683411ee47796d6343b81a72df 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -83,12 +83,14 @@ composites {
      expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
      description = "Phish message sent by hacked Wordpress instance";
      policy = "leave";
+    group = "compromised_hosts";
    }
    COMPROMISED_ACCT_BULK {
      expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
      description = "Likely to be from a compromised account";
      score = 3.0;
      policy = "leave";
+    group = "compromised_hosts";
    }
    UNDISC_RCPTS_BULK {
      expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
@@ -167,6 +169,7 @@ composites {
      score = 4.0;
      policy = "leave";
      description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
+    group = "scams";
    }
    REDIRECTOR_URL_ONLY {
      expression = "HFILTER_URL_ONLY & REDIRECTOR_URL";
author	twesterhever <40121680+twesterhever@users.noreply.github.com>
	Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)
committer	twesterhever <40121680+twesterhever@users.noreply.github.com>
	Tue, 9 Apr 2024 10:57:00 +0000 (10:57 +0000)