aboutsummaryrefslogtreecommitdiffstats
path: root/conf/composites.conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf/composites.conf')
-rw-r--r--conf/composites.conf4
1 files changed, 2 insertions, 2 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index 4fb97588f..34a6c170e 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -165,7 +165,7 @@ composites {
group = "scams";
}
FREEMAIL_AFF {
- expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
+ expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT | CD_MM_BODY) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
score = 4.0;
policy = "leave";
description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
@@ -191,7 +191,7 @@ composites {
description = "Message authenticated, but from a suspicios origin (potentially an injector)";
}
ABUSE_FROM_INJECTOR {
- expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
+ expression = "SUSPICIOUS_AUTH_ORIGIN & (RCVD_HELO_USER | FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
score = 2.0;
policy = "leave";
description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-03 06:08:24 +0000