From c53dd6be7203038a0be6e73f1eb4beeeecd65b91 Mon Sep 17 00:00:00 2001
From: Steve Freegard <steve@stevefreegard.com>
Date: Thu, 23 Mar 2017 21:27:02 +0000
Subject: New rules

---
 conf/composites.conf | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'conf')

diff --git a/conf/composites.conf b/conf/composites.conf
index 9565ae489..947fa7fbb 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -61,6 +61,16 @@ composites {
         expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
         policy = "leave";
     }
+    COMPROMISED_ACCT_BULK {
+        expression = "HAS_XOIP & DCC_BULK";
+        description = "Likely to be from a compromised webmail account";
+        score = 3.0;
+    }
+    UNDISC_RCPTS_BULK {
+        expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
+        description = "Missing or undisclosed recipients with a bulk signature";
+        score = 3.0;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
-- 
cgit v1.2.3