|
|
@@ -65,6 +65,14 @@ composites { |
|
|
|
expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)" |
|
|
|
policy = "remove_weight"; |
|
|
|
} |
|
|
|
APPLE_MAILER_COMMON { |
|
|
|
description = "Message was sent by 'Apple Mail' and has common symbols in place"; |
|
|
|
expression = "APPLE_MAILER & MV_CASE"; |
|
|
|
} |
|
|
|
APPLE_IOS_MAILER_COMMON { |
|
|
|
description = "Message was sent by 'Apple iOS Mail' and has common symbols in place"; |
|
|
|
expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)"; |
|
|
|
} |
|
|
|
HACKED_WP_PHISHING { |
|
|
|
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; |
|
|
|
description = "Phish message sent by hacked Wordpress instance"; |