diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2018-09-09 18:22:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-09-09 18:22:13 +0100 |
| commit | 8128b539535d3c8df974ac2fee7d673f5d3c5502 (patch) | |
| tree | 1a29c3f7e6e624a1a164ab7c0c4a7e3505c2b8d2 | |
| parent | df2b0f02b106497fc1c95669d2f2c6f2d6fccc62 (diff) | |
| parent | 648c87a9354b4a25052681d7f787f43cc7ef9327 (diff) | |
| download | rspamd-8128b539535d3c8df974ac2fee7d673f5d3c5502.tar.gz rspamd-8128b539535d3c8df974ac2fee7d673f5d3c5502.zip | |
Merge pull request #2474 from heraklit256/composites-1
some housekeeping of composite rulesets
| -rw-r--r-- | conf/composites.conf | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index 9c4bb7e12..b2b9f9d5e 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -46,11 +46,13 @@ composites { } RBL_SPAMHAUS_XBL_ANY { expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL"; + description = "Message was relayed through at least one hop listed in Spamhaus XBL"; } AUTH_NA { expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA"; score = 1.0; policy = "remove_weight"; + description = "Authenticating message via SPF/DKIM/DMARC not possible"; } DKIM_MIXED { expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)" @@ -66,7 +68,7 @@ composites { expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)"; } HACKED_WP_PHISHING { - expression = "HAS_X_POS & HAS_WP_URI & PHISHING"; + expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; description = "Phish message sent by hacked Wordpress instance"; policy = "leave"; } @@ -103,7 +105,7 @@ composites { score = 1.0; } PHISH_EMOTION { - expression = "(HACKED_WP_PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; + expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; description = "Phish message with subject trying to address users emotion"; score = 2.0; } @@ -112,6 +114,11 @@ composites { description = "Spammy message with detailled sender but generic recipient"; score = 0.5; } + HAS_ANON_DOMAIN { + expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR"; + description = "Contains one or more domains trying to disguise owner/destination"; + score = 0.5; + } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" |