diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/composites.conf | 15 | ||||
| -rw-r--r-- | conf/scores.d/headers_group.conf | 2 |
2 files changed, 13 insertions, 4 deletions
diff --git a/conf/composites.conf b/conf/composites.conf index d3c4f073b..b1bff1c1a 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -83,12 +83,14 @@ composites { expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; description = "Phish message sent by hacked Wordpress instance"; policy = "leave"; + group = "compromised_hosts"; } COMPROMISED_ACCT_BULK { expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; description = "Likely to be from a compromised account"; score = 3.0; policy = "leave"; + group = "compromised_hosts"; } UNDISC_RCPTS_BULK { expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; @@ -167,6 +169,7 @@ composites { score = 4.0; policy = "leave"; description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; + group = "scams"; } SUSPICIOUS_MDN { expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)"; @@ -181,11 +184,17 @@ composites { policy = "leave"; description = "Message only contains a redirector URL"; } - THREAD_HIJACKING_FROM_INJECTOR { - expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; + SUSPICIOUS_AUTH_ORIGIN { + expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)"; + score = 0.0; + policy = "leave"; + description = "Message authenticated, but from a suspicios origin (potentially an injector)"; + } + ABUSE_FROM_INJECTOR { + expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; score = 2.0; policy = "leave"; - description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; + description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account"; group = "compromised_hosts"; } SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE { diff --git a/conf/scores.d/headers_group.conf b/conf/scores.d/headers_group.conf index c9b078c5a..1c70ca588 100644 --- a/conf/scores.d/headers_group.conf +++ b/conf/scores.d/headers_group.conf @@ -51,7 +51,7 @@ symbols = { description = "One received header in a message"; } "RDNS_NONE" { - weight = 1.0; + weight = 2.0; description = "Cannot resolve reverse DNS for sender's IP"; } "RDNS_DNSFAIL" { |