Add FREEMAIL_REPLYTO_NEQ_FROM rule

author Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>

Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)

committer GitHub <noreply@github.com>

Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)
author Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>
Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)
committer GitHub <noreply@github.com>
Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)
diff --git a/conf/composites.conf b/conf/composites.conf

index 34a6c170e5d7b06651a4d92d5f114619317f1201..d6c8e37736f99f51bdfb095f6d608be8ef7494c5 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -171,6 +171,12 @@ composites {
      description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
      group = "scams";
    }
+  FREEMAIL_REPLYTO_NEQ_FROM {
+    expression = "FREEMAIL_REPLYTO & !REPLYTO_EQ_FROM & !REPLYTO_ADDR_EQ_FROM & !FREEMAIL_REPLYTO_NEQ_FROM_DOM";
+    score = 2.0;
+    policy = "leave";
+    description = "Reply-To is a Freemail address and it not match From header or SMTP From, also From is not another Freemail";
+  }
    SUSPICIOUS_MDN {
      expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)";
      score = 2.0;
author	Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>
	Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)
committer	GitHub <noreply@github.com>
	Sun, 30 Mar 2025 13:33:28 +0000 (15:33 +0200)