From: heraklit256 <37872459+heraklit256@users.noreply.github.com#>
Date: Sun, 9 Sep 2018 16:21:12 +0000 (+0200)
Subject: improve composite rules for phish messages
X-Git-Tag: 1.8.0~156^2~1
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=04b52561b0cf2545e40e7a87c330cd2c088063ac;p=rspamd.git

improve composite rules for phish messages
---

diff --git a/conf/composites.conf b/conf/composites.conf
index 24f198aac..12f445990 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -68,7 +68,7 @@ composites {
         expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
     }
     HACKED_WP_PHISHING {
-        expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
         description = "Phish message sent by hacked Wordpress instance";
         policy = "leave";
     }
@@ -105,7 +105,7 @@ composites {
         score = 1.0;
     }
     PHISH_EMOTION {
-        expression = "(HACKED_WP_PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+        expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
         description = "Phish message with subject trying to address users emotion";
         score = 2.0;
     }