aboutsummaryrefslogtreecommitdiffstats
path: root/conf/composites.conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf/composites.conf')
-rw-r--r--conf/composites.conf12
1 files changed, 9 insertions, 3 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index e38d64e6b..41cd7749f 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -174,11 +174,17 @@ composites {
policy = "leave";
description = "Message only contains a redirector URL";
}
- THREAD_HIJACKING_FROM_INJECTOR {
- expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+ SUSPICIOUS_AUTH_ORIGIN {
+ expression = "RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)";
+ score = 0.0;
+ policy = "leave";
+ description = "Message authenticated, but from a suspicios origin (potentially an injector)";
+ }
+ ABUSE_FROM_INJECTOR {
+ expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
score = 2.0;
policy = "leave";
- description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+ description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";
group = "compromised_hosts";
}
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-24 12:44:08 +0000