diff options
| author | Steve Freegard <steve@stevefreegard.com> | 2017-03-23 22:01:19 +0000 |
|---|---|---|
| committer | Steve Freegard <steve@stevefreegard.com> | 2017-03-23 22:01:19 +0000 |
| commit | 1205d530dd568af6c495c2669e86565219cd7195 (patch) | |
| tree | f1cf73bb4e998a61d1fd04a4e03f93b817004d7e | |
| parent | c53dd6be7203038a0be6e73f1eb4beeeecd65b91 (diff) | |
| download | rspamd-1205d530dd568af6c495c2669e86565219cd7195.tar.gz rspamd-1205d530dd568af6c495c2669e86565219cd7195.zip | |
Updates to previous commit
| -rw-r--r-- | conf/composites.conf | 6 | ||||
| -rw-r--r-- | rules/misc.lua | 6 | ||||
| -rw-r--r-- | rules/regexp/headers.lua | 8 |
3 files changed, 16 insertions, 4 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index 947fa7fbb..8a00b2fd1 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -62,14 +62,16 @@ composites { policy = "leave"; } COMPROMISED_ACCT_BULK { - expression = "HAS_XOIP & DCC_BULK"; - description = "Likely to be from a compromised webmail account"; + expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; + description = "Likely to be from a compromised account"; score = 3.0; + policy = "leave"; } UNDISC_RCPTS_BULK { expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; description = "Missing or undisclosed recipients with a bulk signature"; score = 3.0; + policy = "leave"; } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" diff --git a/rules/misc.lua b/rules/misc.lua index db754a98e..1e587d093 100644 --- a/rules/misc.lua +++ b/rules/misc.lua @@ -415,12 +415,14 @@ local check_from_display_name = rspamd_config:register_symbol{ local parsed = util.parse_mail_address(from[1].name) if not parsed then return false end if not (parsed[1] and parsed[1]['addr']) then return false end + if parsed[1]['domain'] == nil or parsed[1]['domain'] == '' then return false end -- See if the parsed domains differ if not util.strequal_caseless(from[1]['domain'], parsed[1]['domain']) then -- See if the destination domain is the same as the spoof local to = task:get_recipients(2) - -- Be careful with undisclosed-recipients:; as domain will be an empty string - if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then + if not (to and to[1] and to[1]['domain']) then + -- Be careful with undisclosed-recipients:; as domain will be an empty string + if to[1]['domain'] == nil or to[1]['domain'] == '' then return false end task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain']) return false end diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index af63d7131..c14dd3500 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -905,3 +905,11 @@ reconf['HAS_XOIP'] = { score = 0.0, group = 'headers' } + +reconf['RCVD_VIA_SMTP_AUTH'] = { + re = "Received=/\\bE?SMTPS?A\\b/ || Received=/\\bauthenticated\\b/i", + description = "Recieved using SMTP AUTH", + score = 0, + group = 'headers' +} + |