add rule for spammy PHP generated mails

diff --git a/conf/composites.conf b/conf/composites.conf
index 2b4c57072e70a7da2dd3cb83a6daaa1e7a6beb77..89f03790e7e9c681d329bc9ae880f895c5db6c13 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -87,15 +87,20 @@ composites {
         score = 2.0;
     }
     RCVD_DKIM_ARC_DNSWL_MED {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_MED";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
         description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
         score = -1.5;
     }
     RCVD_DKIM_ARC_DNSWL_HI {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_HI";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
         description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
         score = -3.5;
     }
+    AUTOGEN_PHP_SPAMMY {
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+        description = "Message was generated by PHP script and contains some spam indicators";
+        score = 1.0;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"