From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Mon, 4 Nov 2024 11:59:22 +0000 (+0000)
Subject: [Minor] Add "User" HELO in Received headers to ABUSE_FROM_INJECTOR
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F5209%2Fhead;p=rspamd.git

[Minor] Add "User" HELO in Received headers to ABUSE_FROM_INJECTOR

This pattern often surfaces in spam (frequently advance fee fraud)
disseminated via compromised accounts, adding it to ABUSE_FROM_INJECTOR
to increase the likelihood of such spam getting rejected.
---

diff --git a/conf/composites.conf b/conf/composites.conf
index 4fb97588f..5a3585e10 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -191,7 +191,7 @@ composites {
     description = "Message authenticated, but from a suspicios origin (potentially an injector)";
   }
   ABUSE_FROM_INJECTOR {
-    expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
+    expression = "SUSPICIOUS_AUTH_ORIGIN & (RCVD_HELO_USER | FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
     score = 2.0;
     policy = "leave";
     description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";