add rule for spammy mails with detailled sender but generic recipients

diff --git a/conf/composites.conf b/conf/composites.conf
index 83ae88e47f34389746eed084268868be101f7e5e..9c4bb7e12bee0c3d873bcadfc862ee702b4318f9 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -67,6 +67,7 @@ composites {
     }
     HACKED_WP_PHISHING {
         expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        description = "Phish message sent by hacked Wordpress instance";
         policy = "leave";
     }
     COMPROMISED_ACCT_BULK {
@@ -106,6 +107,11 @@ composites {
         description = "Phish message with subject trying to address users emotion";
         score = 2.0;
     }
+    UNPRECISE_RCPT_DETAIL_FROM_SPAMMY {
+        expression = "TO_DN_NONE & FROM_HAS_DN & (REPLYTO_EQ_FROM | FREEMAIL_FROM | HAS_LIST_UNSUB)";
+        description = "Spammy message with detailled sender but generic recipient";
+        score = 0.5;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"