From 5afbc581faa36f8a0640d11d11941c03d1f97393 Mon Sep 17 00:00:00 2001
From: heraklit256 <37872459+heraklit256@users.noreply.github.com#>
Date: Sat, 8 Sep 2018 12:30:05 +0200
Subject: [PATCH] add rule for spammy mails with detailled sender but generic
 recipients

---
 conf/composites.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/conf/composites.conf b/conf/composites.conf
index 83ae88e47..9c4bb7e12 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -67,6 +67,7 @@ composites {
     }
     HACKED_WP_PHISHING {
         expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        description = "Phish message sent by hacked Wordpress instance";
         policy = "leave";
     }
     COMPROMISED_ACCT_BULK {
@@ -106,6 +107,11 @@ composites {
         description = "Phish message with subject trying to address users emotion";
         score = 2.0;
     }
+    UNPRECISE_RCPT_DETAIL_FROM_SPAMMY {
+        expression = "TO_DN_NONE & FROM_HAS_DN & (REPLYTO_EQ_FROM | FREEMAIL_FROM | HAS_LIST_UNSUB)";
+        description = "Spammy message with detailled sender but generic recipient";
+        score = 0.5;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
-- 
2.39.5