1 files changed, 9 insertions, 2 deletions

diff --git a/conf/composites.conf b/conf/composites.conf
index efb287207..00f46f966 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -83,8 +83,8 @@ composites {
     policy = "leave";
   }
   RCVD_UNAUTH_PBL {
-    expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
-    description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)";
+    expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH";
+    description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)";
     score = 2.0;
     policy = "leave";
   }
@@ -160,6 +160,13 @@ composites {
     policy = "leave";
     description = "Message only contains a redirector URL";
   }
+  THREAD_HIJACKING_FROM_INJECTOR {
+    expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+    score = 2.0;
+    policy = "leave";
+    description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+    group = "compromised_hosts";
+  }
 
   .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
   .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"