diff options
author | Vsevolod Stakhov <vsevolod@rspamd.com> | 2023-06-03 21:03:37 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-03 21:03:37 +0100 |
commit | 4cfad17e703ed28c48fd64df438f493f141b156e (patch) | |
tree | 26b5816c9388648ca55b957ce24169ec079bdb7a /conf | |
parent | d06125057bebb7857dcdaefae098e86e6093da6f (diff) | |
parent | 31424ff57e34e0110ed9bd266b21728e5988ee57 (diff) | |
download | rspamd-4cfad17e703ed28c48fd64df438f493f141b156e.tar.gz rspamd-4cfad17e703ed28c48fd64df438f493f141b156e.zip |
Merge pull request #4507 from twesterhever/temp-composites-thread-hijacking-injector
[Rules] Add thread hijacking composite rule
Diffstat (limited to 'conf')
-rw-r--r-- | conf/composites.conf | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index efb287207..00f46f966 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -83,8 +83,8 @@ composites { policy = "leave"; } RCVD_UNAUTH_PBL { - expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH"; - description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)"; + expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH"; + description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)"; score = 2.0; policy = "leave"; } @@ -160,6 +160,13 @@ composites { policy = "leave"; description = "Message only contains a redirector URL"; } + THREAD_HIJACKING_FROM_INJECTOR { + expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; + score = 2.0; + policy = "leave"; + description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; + group = "compromised_hosts"; + } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" |