aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf/composites.conf6
-rw-r--r--rules/misc.lua6
-rw-r--r--rules/regexp/headers.lua8
3 files changed, 16 insertions, 4 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index 947fa7fbb..8a00b2fd1 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -62,14 +62,16 @@ composites {
policy = "leave";
}
COMPROMISED_ACCT_BULK {
- expression = "HAS_XOIP & DCC_BULK";
- description = "Likely to be from a compromised webmail account";
+ expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
+ description = "Likely to be from a compromised account";
score = 3.0;
+ policy = "leave";
}
UNDISC_RCPTS_BULK {
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
description = "Missing or undisclosed recipients with a bulk signature";
score = 3.0;
+ policy = "leave";
}
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
diff --git a/rules/misc.lua b/rules/misc.lua
index db754a98e..1e587d093 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -415,12 +415,14 @@ local check_from_display_name = rspamd_config:register_symbol{
local parsed = util.parse_mail_address(from[1].name)
if not parsed then return false end
if not (parsed[1] and parsed[1]['addr']) then return false end
+ if parsed[1]['domain'] == nil or parsed[1]['domain'] == '' then return false end
-- See if the parsed domains differ
if not util.strequal_caseless(from[1]['domain'], parsed[1]['domain']) then
-- See if the destination domain is the same as the spoof
local to = task:get_recipients(2)
- -- Be careful with undisclosed-recipients:; as domain will be an empty string
- if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then
+ if not (to and to[1] and to[1]['domain']) then
+ -- Be careful with undisclosed-recipients:; as domain will be an empty string
+ if to[1]['domain'] == nil or to[1]['domain'] == '' then return false end
task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
return false
end
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index af63d7131..c14dd3500 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -905,3 +905,11 @@ reconf['HAS_XOIP'] = {
score = 0.0,
group = 'headers'
}
+
+reconf['RCVD_VIA_SMTP_AUTH'] = {
+ re = "Received=/\\bE?SMTPS?A\\b/ || Received=/\\bauthenticated\\b/i",
+ description = "Recieved using SMTP AUTH",
+ score = 0,
+ group = 'headers'
+}
+