From cb3bbb54eadf5e4148ffdad856ba4961c8a78118 Mon Sep 17 00:00:00 2001 From: twesterhever <40121680+twesterhever@users.noreply.github.com> Date: Mon, 4 Nov 2024 11:59:22 +0000 Subject: [PATCH] [Minor] Add "User" HELO in Received headers to ABUSE_FROM_INJECTOR This pattern often surfaces in spam (frequently advance fee fraud) disseminated via compromised accounts, adding it to ABUSE_FROM_INJECTOR to increase the likelihood of such spam getting rejected. --- conf/composites.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/composites.conf b/conf/composites.conf index 4fb97588f..5a3585e10 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -191,7 +191,7 @@ composites { description = "Message authenticated, but from a suspicios origin (potentially an injector)"; } ABUSE_FROM_INJECTOR { - expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; + expression = "SUSPICIOUS_AUTH_ORIGIN & (RCVD_HELO_USER | FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; score = 2.0; policy = "leave"; description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account"; -- 2.39.5