commit a7d2543: Merge pull request #4915 from twesterhever/temp-freemail-mdn
GitHub
noreply at github.com
Mon Jul 29 17:56:31 UTC 2024
Author: Vsevolod Stakhov
Date: 2024-04-30 20:07:58 +0600
URL: https://github.com/rspamd/rspamd/commit/a7d2543250b176eff03668eccfa774f2e4bd3bdb
Merge pull request #4915 from twesterhever/temp-freemail-mdn
Add detection for freemail and disposable e-mail usage for message delivery notification
conf/composites.conf | 9 ++++++++-
conf/modules.d/multimap.conf | 20 ++++++++++++++++++++
2 files changed, 28 insertions(+), 1 deletion(-)
diff --combined conf/composites.conf
index c1b603e51,d3c4f073b..b1bff1c1a
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@@ -83,14 -83,12 +83,14 @@@ composites
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
description = "Phish message sent by hacked Wordpress instance";
policy = "leave";
+ group = "compromised_hosts";
}
COMPROMISED_ACCT_BULK {
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
description = "Likely to be from a compromised account";
score = 3.0;
policy = "leave";
+ group = "compromised_hosts";
}
UNDISC_RCPTS_BULK {
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
@@@ -165,29 -163,29 +165,36 @@@
group = "scams";
}
FREEMAIL_AFF {
- expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
+ expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
score = 4.0;
policy = "leave";
description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
+ group = "scams";
}
+ SUSPICIOUS_MDN {
+ expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)";
+ score = 2.0;
+ policy = "leave";
+ description = "Message delivery notification should go to freemail or disposable e-mail, but message was not sent from a freemail address";
+ group = "scams";
+ }
REDIRECTOR_URL_ONLY {
expression = "HFILTER_URL_ONLY & REDIRECTOR_URL";
score = 1.0;
policy = "leave";
description = "Message only contains a redirector URL";
}
- THREAD_HIJACKING_FROM_INJECTOR {
- expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
+ SUSPICIOUS_AUTH_ORIGIN {
+ expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)";
+ score = 0.0;
+ policy = "leave";
+ description = "Message authenticated, but from a suspicios origin (potentially an injector)";
+ }
+ ABUSE_FROM_INJECTOR {
+ expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";
score = 2.0;
policy = "leave";
- description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
+ description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";
group = "compromised_hosts";
}
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {
More information about the Commits
mailing list