diff options
| author | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2024-04-09 10:55:24 +0000 |
|---|---|---|
| committer | twesterhever <40121680+twesterhever@users.noreply.github.com> | 2024-04-09 10:55:24 +0000 |
| commit | 285e588f92d05d12d44deb2e664baf354876e60a (patch) | |
| tree | e008d5778031aef301975f5766e360eb592adc1f /conf/composites.conf | |
| parent | 748f80fdfe4076488442aecf418fa8ac30bce72e (diff) | |
| download | rspamd-285e588f92d05d12d44deb2e664baf354876e60a.tar.gz rspamd-285e588f92d05d12d44deb2e664baf354876e60a.zip | |
[Minor] Rework composites for spam injected into compromised accounts
Diffstat (limited to 'conf/composites.conf')
| -rw-r--r-- | conf/composites.conf | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index e38d64e6b..41cd7749f 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -174,11 +174,17 @@ composites { policy = "leave"; description = "Message only contains a redirector URL"; } - THREAD_HIJACKING_FROM_INJECTOR { - expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; + SUSPICIOUS_AUTH_ORIGIN { + expression = "RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)"; + score = 0.0; + policy = "leave"; + description = "Message authenticated, but from a suspicios origin (potentially an injector)"; + } + ABUSE_FROM_INJECTOR { + expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; score = 2.0; policy = "leave"; - description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; + description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account"; group = "compromised_hosts"; } SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE { |