[Minor] Improve FREEMAIL_AFF catch rate

This "Mail message body" Content-Description header appears to be a common quirk of advance fee fraud e-mails leveraging freemail services.
author: twesterhever <40121680+twesterhever@users.noreply.github.com> 2024-11-04 11:49:34 +0000
committer: twesterhever <40121680+twesterhever@users.noreply.github.com> 2024-11-04 11:49:34 +0000
commit: 8c3f67a747221392680483b53f2bda27b30cb4b2 (patch)
tree: 0d538b922868520dafefc78466836a338287e359
parent: 80cb50dea482246656a49e54a915bdc343ffe897 (diff)
download: rspamd-8c3f67a747221392680483b53f2bda27b30cb4b2.tar.gz
rspamd-8c3f67a747221392680483b53f2bda27b30cb4b2.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index 4fb97588f..c3669a675 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -165,7 +165,7 @@ composites {
     group = "scams";
   }
   FREEMAIL_AFF {
-    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
+    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT | CD_MM_BODY) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
     score = 4.0;
     policy = "leave";
     description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
author	twesterhever <40121680+twesterhever@users.noreply.github.com>	2024-11-04 11:49:34 +0000
committer	twesterhever <40121680+twesterhever@users.noreply.github.com>	2024-11-04 11:49:34 +0000
commit	8c3f67a747221392680483b53f2bda27b30cb4b2 (patch)
tree	0d538b922868520dafefc78466836a338287e359
parent	80cb50dea482246656a49e54a915bdc343ffe897 (diff)
download	rspamd-8c3f67a747221392680483b53f2bda27b30cb4b2.tar.gz rspamd-8c3f67a747221392680483b53f2bda27b30cb4b2.zip