aboutsummaryrefslogtreecommitdiffstats
path: root/conf/composites.conf
diff options
context:
space:
mode:
authortwesterhever <40121680+twesterhever@users.noreply.github.com>2024-11-04 11:59:22 +0000
committertwesterhever <40121680+twesterhever@users.noreply.github.com>2024-11-04 11:59:22 +0000
commitcb3bbb54eadf5e4148ffdad856ba4961c8a78118 (patch)
treecebd2f0bdbd5c81d053e31cbf43bc69a0a54a584 /conf/composites.conf
parent80cb50dea482246656a49e54a915bdc343ffe897 (diff)
downloadrspamd-cb3bbb54eadf5e4148ffdad856ba4961c8a78118.tar.gz
rspamd-cb3bbb54eadf5e4148ffdad856ba4961c8a78118.zip
[Minor] Add "User" HELO in Received headers to ABUSE_FROM_INJECTOR
This pattern often surfaces in spam (frequently advance fee fraud) disseminated via compromised accounts, adding it to ABUSE_FROM_INJECTOR to increase the likelihood of such spam getting rejected.
Diffstat (limited to 'conf/composites.conf')
-rw-r--r--conf/composites.conf2
1 files changed, 1 insertions, 1 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index 4fb97588f..5a3585e10 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -191,7 +191,7 @@ composites {
description = "Message authenticated, but from a suspicios origin (potentially an injector)";
}
ABUSE_FROM_INJECTOR {
- expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
+ expression = "SUSPICIOUS_AUTH_ORIGIN & (RCVD_HELO_USER | FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
score = 2.0;
policy = "leave";
description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";