diff options
| author | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2023-06-02 10:19:30 +0000 |
|---|---|---|
| committer | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2023-06-02 10:19:30 +0000 |
| commit | 36e5821213fe56de6e8a196b40bf8fb46f0264f7 (patch) | |
| tree | 37487262f14633de9f885f9e88db9ec7c408f39a | |
| parent | eb001dce519558f4b14c6a0bd044f762ce804b09 (diff) | |
| download | rspamd-36e5821213fe56de6e8a196b40bf8fb46f0264f7.tar.gz rspamd-36e5821213fe56de6e8a196b40bf8fb46f0264f7.zip | |
[Rules] Add thread hijacking composite rule
| -rw-r--r-- | conf/composites.conf | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index 19a2187e6..7fe417668 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -160,6 +160,13 @@ composites { policy = "leave"; description = "Message only contains a redirector URL"; } + THREAD_HIJACKING_FROM_INJECTOR { + expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; + score = 2.0; + policy = "leave"; + description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; + group = "compromised_hosts"; + } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" |