bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

committing changes in /etc made by "-bash"

Browse Source 
Package changes:
This commit is contained in:
Bogdan Stoica
2023-09-04 09:19:01 +03:00
parent dac424ac1f
commit 0ea67db15e
97 changed files with 375 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
rspamd/composites.conf
View File

@@ -65,18 +65,16 @@ composites {
expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
policy = "remove_weight";
}
MAIL_RU_MAILER_BASE64 {
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
APPLE_MAILER_COMMON {
description = "Message was sent by 'Apple Mail' and has common symbols in place";
expression = "APPLE_MAILER & MV_CASE";
}
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
}
MAILER_1C_8_BASE64 {
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
APPLE_IOS_MAILER_COMMON {
description = "Message was sent by 'Apple iOS Mail' and has common symbols in place";
expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)";
}
HACKED_WP_PHISHING {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
description = "Phish message sent by hacked Wordpress instance";
policy = "leave";
}
@@ -93,8 +91,8 @@ composites {
policy = "leave";
}
RCVD_UNAUTH_PBL {
expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)";
expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH";
description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)";
score = 2.0;
policy = "leave";
}
@@ -159,11 +157,24 @@ composites {
group = "scams";
}
FREEMAIL_AFF {
expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
score = 4.0;
policy = "leave";
description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
}
REDIRECTOR_URL_ONLY {
expression = "HFILTER_URL_ONLY & REDIRECTOR_URL";
score = 1.0;
policy = "leave";
description = "Message only contains a redirector URL";
}
THREAD_HIJACKING_FROM_INJECTOR {
expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)";
score = 2.0;
policy = "leave";
description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
group = "compromised_hosts";
}
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"