From 740443dc929af3e8b2c9612b5358abcdbc206b1c Mon Sep 17 00:00:00 2001
From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Sun, 9 Oct 2022 08:29:21 +0000
Subject: [PATCH] [Enhancement] Add composite rule against AFF involving
 freemailers

---
 conf/composites.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/conf/composites.conf b/conf/composites.conf
index cd03d5fdd..fc5b7922d 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -154,6 +154,13 @@ composites {
     score = 7.0;
     group = "scams";
   }
+  
+  FREEMAIL_AFF {
+	  expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+	  score = 4.0;
+	  policy = "leave";
+	  description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
+  }
 
   .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
   .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
-- 
2.39.5