From be0ec8efc0b092ec802077a9e10287ec4e700ca0 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 18 Oct 2020 10:11:27 +0200
Subject: [PATCH] [Rspamd] Composite fixes and adjustments for better filtering

---
 data/conf/rspamd/local.d/composites.conf | 31 ++++++++++++------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/data/conf/rspamd/local.d/composites.conf b/data/conf/rspamd/local.d/composites.conf
index 71314b7f..bc3fbcf6 100644
--- a/data/conf/rspamd/local.d/composites.conf
+++ b/data/conf/rspamd/local.d/composites.conf
@@ -6,20 +6,19 @@ VIRUS_FOUND {
   expression = "CLAM_VIRUS & !MAILCOW_WHITE";
   score = 2000;
 }
-SPF_FAIL_NO_DKIM {
-  expression = "R_SPF_FAIL & R_DKIM_NA & !MAILCOW_WHITE & !ARC_ALLOW";
+# Bad policy from non-whitelisted senders
+POLICY_FAILURE {
+  expression = "-g+:policies & !MAILCOW_WHITE";
   score = 10;
 }
-SOGO_CONTACT_EXCLUDE_FWD_HOST {
-  expression = "-WHITELISTED_FWD_HOST & ~SOGO_CONTACT";
+# Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy
+SOGO_CONTACT_EXCLUDE {
+  expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT";
 }
-SOGO_CONTACT_SPOOFED {
-  expression = "(R_SPF_PERMFAIL | R_SPF_SOFTFAIL | R_SPF_FAIL) & ~SOGO_CONTACT";
-}
-# SPF checks against envelope, so we do not exclude SPF valid mail
+# Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
 SPOOFED_UNAUTH {
-  expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST";
-  score = 5.0;
+  expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
+  score = 50.0;
 }
 # Only apply to inbound unauthed and not whitelisted
 OLEFY_MACRO {
@@ -27,21 +26,21 @@ OLEFY_MACRO {
   score = 20.0;
   policy = "remove_weight";
 }
+# Applies to a content filter map
 BAD_WORD_BAD_TLD {
   expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"
   score = 10.0;
 }
+# Forged with bad policies and not fwd host, keep bad policy symbols
 FORGED_W_BAD_POLICY {
-  expression = "( ~g+:policies | ~R_SPF_NA) & ( ~FROM_NEQ_ENVFROM & ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST"
+  expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM & ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST"
   score = 3.0;
 }
+# Keep negative (good) scores for rbl, policies and hfilter, disable neural group
 WL_FWD_HOST {
-  expression = "-WHITELISTED_FWD_HOST & (^g:rbl | ^g+:policies | ^g:hfilter | ^g:neural)"
+  expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"
 }
+# Exclude X-Spam like flags from scoring from fwd and sieve hosts
 UPSTREAM_CHECKS_EXCLUDE_FWD_HOST {
   expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"
 }
-SPOOFED_UNAUTH_POLICY_FAILURE {
-  expression = "-SPOOFED_UNAUTH & -R_SPF_FAIL";
-  score = 50.0;
-}