commit 285e588: [Minor] Rework composites for spam injected into compromised accounts

[twesterhever]

Author: twesterhever
Date: 2024-04-09 10:55:24 +0000
URL: https://github.com/rspamd/rspamd/commit/285e588f92d05d12d44deb2e664baf354876e60a

[Minor] Rework composites for spam injected into compromised accounts

---
 conf/composites.conf | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/conf/composites.conf b/conf/composites.conf
index e38d64e6b..41cd7749f 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -174,11 +174,17 @@ composites {
     policy = "leave";
     description = "Message only contains a redirector URL";
   }
-  THREAD_HIJACKING_FROM_INJECTOR {
-    expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+  SUSPICIOUS_AUTH_ORIGIN {
+    expression = "RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)";
+    score = 0.0;
+    policy = "leave";
+    description = "Message authenticated, but from a suspicios origin (potentially an injector)";
+  }
+  ABUSE_FROM_INJECTOR {
+    expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
     score = 2.0;
     policy = "leave";
-    description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+    description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";
     group = "compromised_hosts";
   }
   SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {