commit 4cfad17: Merge pull request #4507 from twesterhever/temp-composites-thread-hijacking-injector

GitHub noreply at github.com
Sat Jun 3 20:07:11 UTC 2023 

Author: Vsevolod Stakhov
Date: 2023-06-03 21:03:37 +0100
URL: https://github.com/rspamd/rspamd/commit/4cfad17e703ed28c48fd64df438f493f141b156e (HEAD -> master)

Merge pull request #4507 from twesterhever/temp-composites-thread-hijacking-injector
[Rules] Add thread hijacking composite rule

 conf/composites.conf | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --combined conf/composites.conf
index efb287207,55515d3b6..00f46f966
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@@ -66,7 -66,7 +66,7 @@@ composites 
      policy = "remove_weight";
    }
    HACKED_WP_PHISHING {
 -    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
 +    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
      description = "Phish message sent by hacked Wordpress instance";
      policy = "leave";
    }
@@@ -83,8 -83,8 +83,8 @@@
      policy = "leave";
    }
    RCVD_UNAUTH_PBL {
-     expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
-     description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)";
+     expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH";
+     description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)";
      score = 2.0;
      policy = "leave";
    }
@@@ -160,6 -160,13 +160,13 @@@
      policy = "leave";
      description = "Message only contains a redirector URL";
    }
+   THREAD_HIJACKING_FROM_INJECTOR {
+     expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+     score = 2.0;
+     policy = "leave";
+     description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+     group = "compromised_hosts";
+   }
  
    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

More information about the Commits mailing list