From baec25184f36cacca647700aad82920c4fbd9f05 Mon Sep 17 00:00:00 2001 From: heraklit256 <37872459+heraklit256@users.noreply.github.com#> Date: Thu, 4 Oct 2018 17:58:07 +0200 Subject: leave original symbols for composite rules Removing original symbols if a composite rule triggers is kind of confusing and makes debugging harder. --- conf/composites.conf | 3 +++ 1 file changed, 3 insertions(+) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index 7197adc8f..bf772be07 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -103,16 +103,19 @@ composites { expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)"; description = "Message was generated by PHP script and contains some spam indicators"; score = 1.0; + policy = "leave"; } PHISH_EMOTION { expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; description = "Phish message with subject trying to address users emotion"; score = 2.0; + policy = "leave"; } HAS_ANON_DOMAIN { expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR"; description = "Contains one or more domains trying to disguise owner/destination"; score = 0.5; + policy = "leave"; } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" -- cgit v1.2.3 From a15bd65a86b860d2b7d5dc84791339c95610dbb8 Mon Sep 17 00:00:00 2001 From: heraklit256 <37872459+heraklit256@users.noreply.github.com#> Date: Thu, 4 Oct 2018 18:03:24 +0200 Subject: Composite rules: Minor cleanups Added descriptions to some rules and unified AND operator. --- conf/composites.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index bf772be07..9f3276fb3 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -24,6 +24,7 @@ composites { } FORGED_SENDER_FORWARDING { expression = "FORGED_SENDER & g:forwarding"; + description = "Forged sender, but message is forwarded"; policy = "remove_weight"; } SPF_FAIL_FORWARDING { @@ -42,7 +43,7 @@ composites { expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)"; } FORGED_MUA_MAILLIST { - expression = "g:mua and -MAILLIST"; + expression = "g:mua & -MAILLIST"; } RBL_SPAMHAUS_XBL_ANY { expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL"; @@ -66,6 +67,7 @@ composites { } MAILER_1C_8_BASE64 { expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)"; + description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data"; } HACKED_WP_PHISHING { expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; -- cgit v1.2.3 From 0455923baf5721005a07c3d9d8daf857ca9e2294 Mon Sep 17 00:00:00 2001 From: heraklit256 <37872459+heraklit256@users.noreply.github.com#> Date: Thu, 4 Oct 2018 18:04:44 +0200 Subject: Include ARC into AUTH_NA rule --- conf/composites.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index 9f3276fb3..588b98829 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -50,10 +50,10 @@ composites { description = "From and Received address are listed in Spamhaus XBL"; } AUTH_NA { - expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA"; + expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA"; score = 1.0; policy = "remove_weight"; - description = "Authenticating message via SPF/DKIM/DMARC not possible"; + description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible"; } DKIM_MIXED { expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)" -- cgit v1.2.3 From e5fbf6435ab9f41c5a3fae0115c41e8edca7fb4b Mon Sep 17 00:00:00 2001 From: heraklit256 Date: Wed, 17 Oct 2018 21:49:16 +0200 Subject: lower score for HAS_ANON_DOMAIN to 0.1 --- conf/composites.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index 588b98829..d8be8ca72 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -116,7 +116,7 @@ composites { HAS_ANON_DOMAIN { expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR"; description = "Contains one or more domains trying to disguise owner/destination"; - score = 0.5; + score = 0.1; policy = "leave"; } -- cgit v1.2.3 From 574536f825e2ad8c2d4d462c5ab183738eadbdb5 Mon Sep 17 00:00:00 2001 From: heraklit256 Date: Wed, 17 Oct 2018 21:49:38 +0200 Subject: lower score for PHISH_EMOTION to 1.0 --- conf/composites.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index d8be8ca72..36490d3b7 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -110,7 +110,7 @@ composites { PHISH_EMOTION { expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; description = "Phish message with subject trying to address users emotion"; - score = 2.0; + score = 1.0; policy = "leave"; } HAS_ANON_DOMAIN { -- cgit v1.2.3