summaryrefslogtreecommitdiffstats
path: root/conf
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@rspamd.com>2023-06-03 21:03:37 +0100
committerGitHub <noreply@github.com>2023-06-03 21:03:37 +0100
commit4cfad17e703ed28c48fd64df438f493f141b156e (patch)
tree26b5816c9388648ca55b957ce24169ec079bdb7a /conf
parentd06125057bebb7857dcdaefae098e86e6093da6f (diff)
parent31424ff57e34e0110ed9bd266b21728e5988ee57 (diff)
downloadrspamd-4cfad17e703ed28c48fd64df438f493f141b156e.tar.gz
rspamd-4cfad17e703ed28c48fd64df438f493f141b156e.zip
Merge pull request #4507 from twesterhever/temp-composites-thread-hijacking-injector
[Rules] Add thread hijacking composite rule
Diffstat (limited to 'conf')
-rw-r--r--conf/composites.conf11
1 files changed, 9 insertions, 2 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index efb287207..00f46f966 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -83,8 +83,8 @@ composites {
policy = "leave";
}
RCVD_UNAUTH_PBL {
- expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
- description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)";
+ expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH";
+ description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)";
score = 2.0;
policy = "leave";
}
@@ -160,6 +160,13 @@ composites {
policy = "leave";
description = "Message only contains a redirector URL";
}
+ THREAD_HIJACKING_FROM_INJECTOR {
+ expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+ score = 2.0;
+ policy = "leave";
+ description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+ group = "compromised_hosts";
+ }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"