[Rules] Add VIOLATED_DIRECT_SPF composite

1 files changed, 120 insertions, 113 deletions

diff --git a/conf/composites.conf b/conf/composites.conf
index 09ae5c156..976225db1 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -16,118 +16,125 @@
 
 composites {
 
-    FORGED_RECIPIENTS_MAILLIST {
-        expression = "FORGED_RECIPIENTS & -MAILLIST";
-    }
-    FORGED_SENDER_MAILLIST {
-        expression = "FORGED_SENDER & -MAILLIST";
-    }
-    FORGED_SENDER_FORWARDING {
-        expression = "FORGED_SENDER & g:forwarding";
-        description = "Forged sender, but message is forwarded";
-        policy = "remove_weight";
-    }
-    SPF_FAIL_FORWARDING {
-        expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
-        policy = "remove_weight";
-    }
-    DMARC_POLICY_ALLOW_WITH_FAILURES {
-        expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
-        policy = "remove_weight";
-    }
-    FORGED_RECIPIENTS_FORWARDING {
-        expression = "FORGED_RECIPIENTS & g:forwarding";
-        policy = "remove_weight";
-    }
-    FORGED_SENDER_VERP_SRS {
-        expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
-    }
-    FORGED_MUA_MAILLIST {
-        expression = "g:mua & -MAILLIST";
-    }
-    RBL_SPAMHAUS_XBL_ANY {
-        expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
-        description = "From and Received address are listed in Spamhaus XBL";
-    }
-    AUTH_NA {
-        expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
-        score = 1.0;
-        policy = "remove_weight";
-        description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
-    }
-    DKIM_MIXED {
-        expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
-        policy = "remove_weight";
-    }
-    MAIL_RU_MAILER_BASE64 {
-        expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
-    }
-    YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
-        expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
-    }
-    MAILER_1C_8_BASE64 {
-        expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
-        description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
-    }
-    HACKED_WP_PHISHING {
-        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
-        description = "Phish message sent by hacked Wordpress instance";
-        policy = "leave";
-    }
-    COMPROMISED_ACCT_BULK {
-        expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
-        description = "Likely to be from a compromised account";
-        score = 3.0;
-        policy = "leave";
-    }
-    UNDISC_RCPTS_BULK {
-        expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
-        description = "Missing or undisclosed recipients with a bulk signature";
-        score = 3.0;
-        policy = "leave";
-    }
-    RCVD_UNAUTH_PBL {
-        expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
-        description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
-        score = 2.0;
-        policy = "leave";
-    }
-    RCVD_DKIM_ARC_DNSWL_MED {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
-        description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
-        score = -0.5;
-        policy = "leave";
-    }
-    RCVD_DKIM_ARC_DNSWL_HI {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
-        description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
-        score = -1.0;
-        policy = "leave";
-    }
-    AUTOGEN_PHP_SPAMMY {
-        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
-        description = "Message was generated by PHP script and contains some spam indicators";
-        score = 1.0;
-        policy = "leave";
-    }
-    PHISH_EMOTION {
-        expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
-        description = "Phish message with subject trying to address users emotion";
-        score = 1.0;
-        policy = "leave";
-    }
-    HAS_ANON_DOMAIN {
-        expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
-        description = "Contains one or more domains trying to disguise owner/destination";
-        score = 0.1;
-        policy = "leave";
-    }
-    BAD_REP_POLICIES {
-      description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
-      expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
-      score = 0.1;
-    }
+  FORGED_RECIPIENTS_MAILLIST {
+    expression = "FORGED_RECIPIENTS & -MAILLIST";
+  }
+  FORGED_SENDER_MAILLIST {
+    expression = "FORGED_SENDER & -MAILLIST";
+  }
+  FORGED_SENDER_FORWARDING {
+    expression = "FORGED_SENDER & g:forwarding";
+    description = "Forged sender, but message is forwarded";
+    policy = "remove_weight";
+  }
+  SPF_FAIL_FORWARDING {
+    expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
+    policy = "remove_weight";
+  }
+  DMARC_POLICY_ALLOW_WITH_FAILURES {
+    expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
+    policy = "remove_weight";
+  }
+  FORGED_RECIPIENTS_FORWARDING {
+    expression = "FORGED_RECIPIENTS & g:forwarding";
+    policy = "remove_weight";
+  }
+  FORGED_SENDER_VERP_SRS {
+    expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
+  }
+  FORGED_MUA_MAILLIST {
+    expression = "g:mua & -MAILLIST";
+  }
+  RBL_SPAMHAUS_XBL_ANY {
+    expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
+    description = "From and Received address are listed in Spamhaus XBL";
+  }
+  AUTH_NA {
+    expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
+    score = 1.0;
+    policy = "remove_weight";
+    description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
+  }
+  DKIM_MIXED {
+    expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
+    policy = "remove_weight";
+  }
+  MAIL_RU_MAILER_BASE64 {
+    expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+  }
+  YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
+    expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
+  }
+  MAILER_1C_8_BASE64 {
+    expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+    description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
+  }
+  HACKED_WP_PHISHING {
+    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
+    description = "Phish message sent by hacked Wordpress instance";
+    policy = "leave";
+  }
+  COMPROMISED_ACCT_BULK {
+    expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
+    description = "Likely to be from a compromised account";
+    score = 3.0;
+    policy = "leave";
+  }
+  UNDISC_RCPTS_BULK {
+    expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
+    description = "Missing or undisclosed recipients with a bulk signature";
+    score = 3.0;
+    policy = "leave";
+  }
+  RCVD_UNAUTH_PBL {
+    expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
+    description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
+    score = 2.0;
+    policy = "leave";
+  }
+  RCVD_DKIM_ARC_DNSWL_MED {
+    expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
+    description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
+    score = -0.5;
+    policy = "leave";
+  }
+  RCVD_DKIM_ARC_DNSWL_HI {
+    expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
+    description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
+    score = -1.0;
+    policy = "leave";
+  }
+  AUTOGEN_PHP_SPAMMY {
+    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+    description = "Message was generated by PHP script and contains some spam indicators";
+    score = 1.0;
+    policy = "leave";
+  }
+  PHISH_EMOTION {
+    expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+    description = "Phish message with subject trying to address users emotion";
+    score = 1.0;
+    policy = "leave";
+  }
+  HAS_ANON_DOMAIN {
+    expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
+    description = "Contains one or more domains trying to disguise owner/destination";
+    score = 0.1;
+    policy = "leave";
+  }
+  BAD_REP_POLICIES {
+    description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
+    expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
+    score = 0.1;
+  }
 
-    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
-    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
+  VIOLATED_DIRECT_SPF {
+    description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
+    expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
+    policy = "leave";
+    score = 3.5;
+  }
+
+  .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
+  .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
 }