From 46bb18fa937540fcb19e027dae95d1a54256fab9 Mon Sep 17 00:00:00 2001
From: heraklit256 <37872459+heraklit256@users.noreply.github.com#>
Date: Sat, 8 Sep 2018 12:02:02 +0200
Subject: add rule for spammy PHP generated mails

---
 conf/composites.conf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'conf/composites.conf')

diff --git a/conf/composites.conf b/conf/composites.conf
index 2b4c57072..89f03790e 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -87,15 +87,20 @@ composites {
         score = 2.0;
     }
     RCVD_DKIM_ARC_DNSWL_MED {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_MED";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
         description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
         score = -1.5;
     }
     RCVD_DKIM_ARC_DNSWL_HI {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_HI";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
         description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
         score = -3.5;
     }
+    AUTOGEN_PHP_SPAMMY {
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+        description = "Message was generated by PHP script and contains some spam indicators";
+        score = 1.0;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
-- 
cgit v1.2.3