1 files changed, 13 insertions, 8 deletions

diff --git a/conf/composites.conf b/conf/composites.conf
index 431de669d..09ae5c156 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -24,6 +24,7 @@ composites {
     }
     FORGED_SENDER_FORWARDING {
         expression = "FORGED_SENDER & g:forwarding";
+        description = "Forged sender, but message is forwarded";
         policy = "remove_weight";
     }
     SPF_FAIL_FORWARDING {
@@ -42,17 +43,17 @@ composites {
         expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
     }
     FORGED_MUA_MAILLIST {
-        expression = "g:mua and -MAILLIST";
+        expression = "g:mua & -MAILLIST";
     }
     RBL_SPAMHAUS_XBL_ANY {
         expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
         description = "From and Received address are listed in Spamhaus XBL";
     }
     AUTH_NA {
-        expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA";
+        expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
         score = 1.0;
         policy = "remove_weight";
-        description = "Authenticating message via SPF/DKIM/DMARC not possible";
+        description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
     }
     DKIM_MIXED {
         expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
@@ -66,6 +67,7 @@ composites {
     }
     MAILER_1C_8_BASE64 {
         expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+        description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
     }
     HACKED_WP_PHISHING {
         expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
@@ -106,20 +108,23 @@ composites {
         expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
         description = "Message was generated by PHP script and contains some spam indicators";
         score = 1.0;
+        policy = "leave";
     }
     PHISH_EMOTION {
         expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
         description = "Phish message with subject trying to address users emotion";
-        score = 2.0;
+        score = 1.0;
+        policy = "leave";
     }
     HAS_ANON_DOMAIN {
-        expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR";
+        expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
         description = "Contains one or more domains trying to disguise owner/destination";
-        score = 0.5;
+        score = 0.1;
+        policy = "leave";
     }
     BAD_REP_POLICIES {
-      description = "Contains valid policies but are also marked by fuzzy/bayes";
-      expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes)";
+      description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
+      expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
       score = 0.1;
     }