From: heraklit256 <37872459+heraklit256@users.noreply.github.com#>
Date: Sat, 8 Sep 2018 10:02:02 +0000 (+0200)
Subject: add rule for spammy PHP generated mails
X-Git-Tag: 1.8.0~159^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46bb18fa937540fcb19e027dae95d1a54256fab9;p=thirdparty%2Frspamd.git

add rule for spammy PHP generated mails
---

diff --git a/conf/composites.conf b/conf/composites.conf
index 2b4c57072e..89f03790e7 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -87,15 +87,20 @@ composites {
         score = 2.0;
     }
     RCVD_DKIM_ARC_DNSWL_MED {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_MED";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
         description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
         score = -1.5;
     }
     RCVD_DKIM_ARC_DNSWL_HI {
-        expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_HI";
+        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
         description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
         score = -3.5;
     }
+    AUTOGEN_PHP_SPAMMY {
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+        description = "Message was generated by PHP script and contains some spam indicators";
+        score = 1.0;
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"