commit e1b653d: Merge pull request #4556 from twesterhever/temp-improve-freemail-aff

[GitHub]

Author: Vsevolod Stakhov
Date: 2023-08-02 13:33:03 +0100
URL: https://github.com/rspamd/rspamd/commit/e1b653d22441860199b7eba5304ecb56afd6fa8d (HEAD -> master)

Merge pull request #4556 from twesterhever/temp-improve-freemail-aff
[Minor] Improve catch rates of FREEMAIL_AFF

 conf/composites.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --combined conf/composites.conf
index a1f18749c,bbfa7b179..e598f73ef
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@@ -65,14 -65,6 +65,14 @@@ composites 
      expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
      policy = "remove_weight";
    }
 +  APPLE_MAILER_COMMON {
 +    description = "Message was sent by 'Apple Mail' and has common symbols in place";
 +    expression = "APPLE_MAILER & MV_CASE";
 +  }
 +  APPLE_IOS_MAILER_COMMON {
 +    description = "Message was sent by 'Apple iOS Mail' and has common symbols in place";
 +    expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)";
 +  }
    HACKED_WP_PHISHING {
      expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
      description = "Phish message sent by hacked Wordpress instance";
@@@ -157,7 -149,7 +157,7 @@@
      group = "scams";
    }
    FREEMAIL_AFF {
-     expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+     expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
      score = 4.0;
      policy = "leave";
      description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";