[Minor] Improve catch rates of FREEMAIL_AFF

author twesterhever <40121680+twesterhever@users.noreply.github.com>

Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)

committer twesterhever <40121680+twesterhever@users.noreply.github.com>

Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)
author twesterhever <40121680+twesterhever@users.noreply.github.com>
Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)
committer twesterhever <40121680+twesterhever@users.noreply.github.com>
Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)
diff --git a/conf/composites.conf b/conf/composites.conf

index 00f46f96687747d973b100d92a7c8cb129a95041..bbfa7b179f5bf7dbadf19e36cddf5502416b8e2e 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -149,7 +149,7 @@ composites {
      group = "scams";
    }
    FREEMAIL_AFF {
-    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
      score = 4.0;
      policy = "leave";
      description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
author	twesterhever <40121680+twesterhever@users.noreply.github.com>
	Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)
committer	twesterhever <40121680+twesterhever@users.noreply.github.com>
	Wed, 2 Aug 2023 07:40:09 +0000 (07:40 +0000)