New rules

diff --git a/conf/composites.conf b/conf/composites.conf
index 9565ae4894054848662b43dda23410b77983b1b0..947fa7fbbee11e347ba200d9acfb12b802a9c7bc 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -61,6 +61,16 @@ composites {
         expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
         policy = "leave";
     }
+    COMPROMISED_ACCT_BULK {
+        expression = "HAS_XOIP & DCC_BULK";
+        description = "Likely to be from a compromised webmail account";
+        score = 3.0;
+    }
+    UNDISC_RCPTS_BULK {
+        expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
+        description = "Missing or undisclosed recipients with a bulk signature";
+        score = 3.0;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

diff --git a/rules/misc.lua b/rules/misc.lua
index e289215c97f3ed9fd66887a518abbdb126ad3274..db754a98ef6e111613c6d2b6f0dfabb3052012de 100644 (file)
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -406,7 +406,8 @@ rspamd_config:register_symbol{
   score = 0,
 }
 
-rspamd_config.SPOOF_DISPLAY_NAME = {
+local check_from_display_name = rspamd_config:register_symbol{
+  name = 'CHECK_FROM_SPOOF',
   callback = function (task)
     local from = task:get_from(2)
     if not (from and from[1] and from[1].name) then return false end
@@ -420,16 +421,32 @@ rspamd_config.SPOOF_DISPLAY_NAME = {
       local to = task:get_recipients(2)
       -- Be careful with undisclosed-recipients:; as domain will be an empty string
       if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then
+        task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
         return false
       end
       if util.strequal_caseless(to[1]['domain'], parsed[1]['domain']) then
-          return true,from[1]['domain'],parsed[1]['domain']
+        task:insert_result('SPOOF_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
+        return false
       end
     end
     return false
   end,
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_from_display_name,
+  name = 'SPOOF_DISPLAY_NAME',
   description = 'Display name is being used to spoof and trick the recipient',
-  score = 8.0
+  score = 8,
+}
+
+rspamd_config:register_symbol{
+  type = 'virtual',
+  parent = check_from_display_name,
+  name = 'FROM_NEQ_DISPLAY_NAME',
+  description = 'Display name contains an email address different to the From address',
+  score = 4,
 }
 
 rspamd_config.SPOOF_REPLYTO = {

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index f58feeaf848f1b7e358d4a49310043e99bfcccfa..af63d7131ad6231e0fed6cfddb596f4bf1f5b489 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -899,3 +899,9 @@ reconf['X_PHPOS_FAKE'] = {
   group = 'headers'
 }
 
+reconf['HAS_XOIP'] = {
+  re = "header_exists('X-Originating-IP')",
+  description = "Has X-Originating-IP header",
+  score = 0.0,
+  group = 'headers'
+}

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 2fc194965da77aca1317a2c0a6502e1616403467..5f5b437b626bbc24abfc2814ae77901506710031 100644 (file)
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -40,3 +40,10 @@ reconf['DATA_URI_OBFU'] = {
   score = 2.0
 }
 
+reconf['INTRODUCTION'] = {
+  re = '/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(\.|\\b))/{sa_body}i',
+  description = "Sender introduces themselves",
+  score = 2.0,
+  group = 'scams'
+}
+