metric {
name = "default";
- # If this param is set to non-zero
+ # If this param is set to non-zero
# then a metric would accept all symbols
# unknown_weight = 1.0
- actions {
- reject = 15;
- add_header = 6;
- greylist = 4;
- };
-
- group {
- name = "header";
- symbol {
- weight = 2.0;
- description = "Subject is missing inside message";
- name = "MISSING_SUBJECT";
- }
- symbol {
- weight = 2.100000;
- description = "Message pretends to be send from Outlook but has 'strange' tags ";
- name = "FORGED_OUTLOOK_TAGS";
- }
- symbol {
- weight = 0.30;
- description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
- name = "FORGED_SENDER";
- }
- symbol {
- weight = 3.500000;
- description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
- name = "SUSPICIOUS_RECIPS";
- }
- symbol {
- weight = 6.0;
- description = "Fake reply (has RE in subject, but has not References header)";
- name = "FAKE_REPLY_C";
- }
- symbol {
- weight = 1.0;
- description = "Messages that have only HTML part";
- name = "MIME_HTML_ONLY";
- }
- symbol {
- weight = 2.0;
- description = "Forged yahoo msgid";
- name = "FORGED_MSGID_YAHOO";
- }
- symbol {
- weight = 2.0;
- description = "Forged The Bat! MUA headers";
- name = "FORGED_MUA_THEBAT_BOUN";
- }
- symbol {
- weight = 5.0;
- description = "Charset is missing in a message";
- name = "R_MISSING_CHARSET";
- }
- symbol {
- weight = 2.0;
- description = "Two received headers with ip addresses";
- name = "RCVD_DOUBLE_IP_SPAM";
- }
- symbol {
- weight = 5.0;
- description = "Forged outlook HTML signature";
- name = "FORGED_OUTLOOK_HTML";
- }
- symbol {
- weight = 5.0;
- description = "Recipients are absent or undisclosed";
- name = "R_UNDISC_RCPT";
- }
- symbol {
- weight = 2.0;
- description = "Fake helo for verizon provider";
- name = "FM_FAKE_HELO_VERIZON";
- }
- symbol {
- weight = 2.0;
- description = "Quoted reply-to from yahoo (seems to be forged)";
- name = "REPTO_QUOTE_YAHOO";
- }
- symbol {
- weight = 5.0;
- description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
- name = "MISSING_MIMEOLE";
- }
- symbol {
- weight = 2.0;
- description = "To header is missing";
- name = "MISSING_TO";
- }
- symbol {
- weight = 1.500000;
- description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "FROM_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "FROM_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "TO_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "TO_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "REPLYTO_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "REPLYTO_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "CC_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "CC_EXCESS_QP";
- }
- symbol {
- weight = 5.0;
- description = "Mixed characters in a message";
- name = "R_MIXED_CHARSET";
- }
- symbol {
- weight = 3.500000;
- description = "Recipients list seems to be sorted";
- name = "SORTED_RECIPS";
- }
- symbol {
- weight = 3.0;
- description = "Spambots signatures in received headers";
- name = "R_RCVD_SPAMBOTS";
- }
- symbol {
- weight = 2.0;
- description = "To header seems to be autogenerated";
- name = "R_TO_SEEMS_AUTO";
- }
- symbol {
- weight = 1.0;
- description = "Subject needs encoding";
- name = "SUBJECT_NEEDS_ENCODING";
- }
- symbol {
- weight = 3.840000;
- description = "Spam string at the end of message to make statistics faults 0";
- name = "TRACKER_ID";
- }
- symbol {
- weight = 1.0;
- description = "No space in from header";
- name = "R_NO_SPACE_IN_FROM";
- }
- symbol {
- weight = 8.0;
- description = "Subject seems to be spam";
- name = "R_SAJDING";
- }
- symbol {
- weight = 3.0;
- description = "Detects bad content-transfer-encoding for text parts";
- name = "R_BAD_CTE_7BIT";
- }
- symbol {
- weight = 10.0;
- description = "Flash redirect on imageshack.us";
- name = "R_FLASH_REDIR_IMGSHACK";
- }
- symbol {
- weight = 5.0;
- description = "Message id is incorrect";
- name = "INVALID_MSGID";
- }
- symbol {
- weight = 3.0;
- description = "Message id is missing ";
- name = "MISSING_MID";
- }
- symbol {
- weight = 1.0;
- description = "Recipients are not the same as RCPT TO: mail command";
- name = "FORGED_RECIPIENTS";
- }
- symbol {
- weight = 0.0;
- description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
- name = "FORGED_RECIPIENTS_MAILLIST";
- }
- symbol {
- weight = 0.0;
- description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
- name = "FORGED_SENDER_MAILLIST";
- }
- symbol {
- weight = 2.0;
- description = "Forged Exchange messages ";
- name = "RATWARE_MS_HASH";
- }
- symbol {
- weight = 1.0;
- description = "Reply-type in content-type";
- name = "STOX_REPLY_TYPE";
- }
- symbol {
- weight = 1.0;
- description = "One received header in a message ";
- name = "ONCE_RECEIVED";
- }
- symbol {
- weight = 4.0;
- description = "One received header with 'bad' patterns inside";
- name = "ONCE_RECEIVED_STRICT";
- }
- symbol {
- weight = 2.0;
- description = "Only Content-Type header without other MIME headers";
- name = "MIME_HEADER_CTYPE_ONLY";
- }
- symbol {
- weight = -1.0;
- description = "Message seems to be from maillist";
- name = "MAILLIST";
- }
- symbol {
- weight = 1.0;
- description = "Header From begins with tab";
- name = "HEADER_FROM_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header To begins with tab";
- name = "HEADER_TO_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Cc begins with tab";
- name = "HEADER_CC_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Reply-To begins with tab";
- name = "HEADER_REPLYTO_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Date begins with tab";
- name = "HEADER_DATE_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header From has no delimiter between header name and header value";
- name = "HEADER_FROM_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header To has no delimiter between header name and header value";
- name = "HEADER_TO_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Cc has no delimiter between header name and header value";
- name = "HEADER_CC_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Reply-To has no delimiter between header name and header value";
- name = "HEADER_REPLYTO_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Date has no delimiter between header name and header value";
- name = "HEADER_DATE_EMPTY_DELIMITER";
- }
- symbol {
- weight = 4.0;
- description = "Header Received has raw illegal character";
- name = "RCVD_ILLEGAL_CHARS";
- }
- symbol {
- weight = 4.0;
- description = "Fake helo mail.ru in header Received from non mail.ru sender address";
- name = "FAKE_RECEIVED_mail_ru";
- }
- symbol {
- weight = 4.0;
- description = "Fake smtp.yandex.ru Received";
- name = "FAKE_RECEIVED_smtp_yandex_ru";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED2";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED3";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED4";
- }
- symbol {
- weight = 4.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED5";
- }
- symbol {
- weight = 3.0;
- description = "Invalid Postfix Received";
- name = "INVALID_POSTFIX_RECEIVED";
- }
- symbol {
- weight = 5.0;
- description = "Invalid Exim Received";
- name = "INVALID_EXIM_RECEIVED";
- }
- symbol {
- weight = 3.0;
- description = "Invalid Exim Received";
- name = "INVALID_EXIM_RECEIVED2";
- }
+ actions {
+ reject = 15;
+ add_header = 6;
+ greylist = 4;
+ };
+
+ group {
+ name = "header";
+ symbol {
+ weight = 2.0;
+ description = "Subject is missing inside message";
+ name = "MISSING_SUBJECT";
+ }
+ symbol {
+ weight = 2.100000;
+ description = "Message pretends to be send from Outlook but has 'strange' tags ";
+ name = "FORGED_OUTLOOK_TAGS";
+ }
+ symbol {
+ weight = 0.30;
+ description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
+ name = "FORGED_SENDER";
+ }
+ symbol {
+ weight = 3.500000;
+ description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
+ name = "SUSPICIOUS_RECIPS";
+ }
+ symbol {
+ weight = 6.0;
+ description = "Fake reply (has RE in subject, but has not References header)";
+ name = "FAKE_REPLY_C";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Messages that have only HTML part";
+ name = "MIME_HTML_ONLY";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Forged yahoo msgid";
+ name = "FORGED_MSGID_YAHOO";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Forged The Bat! MUA headers";
+ name = "FORGED_MUA_THEBAT_BOUN";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Charset is missing in a message";
+ name = "R_MISSING_CHARSET";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Two received headers with ip addresses";
+ name = "RCVD_DOUBLE_IP_SPAM";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Forged outlook HTML signature";
+ name = "FORGED_OUTLOOK_HTML";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Recipients are absent or undisclosed";
+ name = "R_UNDISC_RCPT";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Fake helo for verizon provider";
+ name = "FM_FAKE_HELO_VERIZON";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Quoted reply-to from yahoo (seems to be forged)";
+ name = "REPTO_QUOTE_YAHOO";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
+ name = "MISSING_MIMEOLE";
+ }
+ symbol {
+ weight = 2.0;
+ description = "To header is missing";
+ name = "MISSING_TO";
+ }
+ symbol {
+ weight = 1.500000;
+ description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
+ name = "FROM_EXCESS_BASE64";
+ }
+ symbol {
+ weight = 1.200000;
+ description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
+ name = "FROM_EXCESS_QP";
+ }
+ symbol {
+ weight = 1.500000;
+ description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
+ name = "TO_EXCESS_BASE64";
+ }
+ symbol {
+ weight = 1.200000;
+ description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
+ name = "TO_EXCESS_QP";
+ }
+ symbol {
+ weight = 1.500000;
+ description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
+ name = "REPLYTO_EXCESS_BASE64";
+ }
+ symbol {
+ weight = 1.200000;
+ description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
+ name = "REPLYTO_EXCESS_QP";
+ }
+ symbol {
+ weight = 1.500000;
+ description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
+ name = "CC_EXCESS_BASE64";
+ }
+ symbol {
+ weight = 1.200000;
+ description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
+ name = "CC_EXCESS_QP";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Mixed characters in a message";
+ name = "R_MIXED_CHARSET";
+ }
+ symbol {
+ weight = 3.500000;
+ description = "Recipients list seems to be sorted";
+ name = "SORTED_RECIPS";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Spambots signatures in received headers";
+ name = "R_RCVD_SPAMBOTS";
+ }
+ symbol {
+ weight = 2.0;
+ description = "To header seems to be autogenerated";
+ name = "R_TO_SEEMS_AUTO";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Subject needs encoding";
+ name = "SUBJECT_NEEDS_ENCODING";
+ }
+ symbol {
+ weight = 3.840000;
+ description = "Spam string at the end of message to make statistics faults 0";
+ name = "TRACKER_ID";
+ }
+ symbol {
+ weight = 1.0;
+ description = "No space in from header";
+ name = "R_NO_SPACE_IN_FROM";
+ }
+ symbol {
+ weight = 8.0;
+ description = "Subject seems to be spam";
+ name = "R_SAJDING";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Detects bad content-transfer-encoding for text parts";
+ name = "R_BAD_CTE_7BIT";
+ }
+ symbol {
+ weight = 10.0;
+ description = "Flash redirect on imageshack.us";
+ name = "R_FLASH_REDIR_IMGSHACK";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Message id is incorrect";
+ name = "INVALID_MSGID";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Message id is missing ";
+ name = "MISSING_MID";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Recipients are not the same as RCPT TO: mail command";
+ name = "FORGED_RECIPIENTS";
+ }
+ symbol {
+ weight = 0.0;
+ description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
+ name = "FORGED_RECIPIENTS_MAILLIST";
+ }
+ symbol {
+ weight = 0.0;
+ description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
+ name = "FORGED_SENDER_MAILLIST";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Forged Exchange messages ";
+ name = "RATWARE_MS_HASH";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Reply-type in content-type";
+ name = "STOX_REPLY_TYPE";
+ }
+ symbol {
+ weight = 1.0;
+ description = "One received header in a message ";
+ name = "ONCE_RECEIVED";
+ }
+ symbol {
+ weight = 4.0;
+ description = "One received header with 'bad' patterns inside";
+ name = "ONCE_RECEIVED_STRICT";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Only Content-Type header without other MIME headers";
+ name = "MIME_HEADER_CTYPE_ONLY";
+ }
+ symbol {
+ weight = -1.0;
+ description = "Message seems to be from maillist";
+ name = "MAILLIST";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header From begins with tab";
+ name = "HEADER_FROM_DELIMITER_TAB";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header To begins with tab";
+ name = "HEADER_TO_DELIMITER_TAB";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Cc begins with tab";
+ name = "HEADER_CC_DELIMITER_TAB";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Reply-To begins with tab";
+ name = "HEADER_REPLYTO_DELIMITER_TAB";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Date begins with tab";
+ name = "HEADER_DATE_DELIMITER_TAB";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header From has no delimiter between header name and header value";
+ name = "HEADER_FROM_EMPTY_DELIMITER";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header To has no delimiter between header name and header value";
+ name = "HEADER_TO_EMPTY_DELIMITER";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Cc has no delimiter between header name and header value";
+ name = "HEADER_CC_EMPTY_DELIMITER";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Reply-To has no delimiter between header name and header value";
+ name = "HEADER_REPLYTO_EMPTY_DELIMITER";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Header Date has no delimiter between header name and header value";
+ name = "HEADER_DATE_EMPTY_DELIMITER";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Header Received has raw illegal character";
+ name = "RCVD_ILLEGAL_CHARS";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Fake helo mail.ru in header Received from non mail.ru sender address";
+ name = "FAKE_RECEIVED_mail_ru";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Fake smtp.yandex.ru Received";
+ name = "FAKE_RECEIVED_smtp_yandex_ru";
+ }
+ symbol {
+ weight = 3.600000;
+ description = "Forged generic Received";
+ name = "FORGED_GENERIC_RECEIVED";
+ }
+ symbol {
+ weight = 3.600000;
+ description = "Forged generic Received";
+ name = "FORGED_GENERIC_RECEIVED2";
+ }
+ symbol {
+ weight = 3.600000;
+ description = "Forged generic Received";
+ name = "FORGED_GENERIC_RECEIVED3";
+ }
+ symbol {
+ weight = 3.600000;
+ description = "Forged generic Received";
+ name = "FORGED_GENERIC_RECEIVED4";
+ }
+ symbol {
+ weight = 4.600000;
+ description = "Forged generic Received";
+ name = "FORGED_GENERIC_RECEIVED5";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Invalid Postfix Received";
+ name = "INVALID_POSTFIX_RECEIVED";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Invalid Exim Received";
+ name = "INVALID_EXIM_RECEIVED";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Invalid Exim Received";
+ name = "INVALID_EXIM_RECEIVED2";
+ }
+ }
+
+ group {
+ name = "mua";
+ symbol {
+ weight = 4.0;
+ description = "Message pretends to be send from The Bat! but has forged Message-ID";
+ name = "FORGED_MUA_THEBAT_MSGID";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Message pretends to be send from The Bat! but has forged Message-ID";
+ name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Message pretends to be send from KMail but has forged Message-ID";
+ name = "FORGED_MUA_KMAIL_MSGID";
+ }
+ symbol {
+ weight = 2.500000;
+ description = "Message pretends to be send from KMail but has forged Message-ID";
+ name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Message pretends to be send from Opera Mail but has forged Message-ID";
+ name = "FORGED_MUA_OPERA_MSGID";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
+ name = "SUSPICIOUS_OPERA_10W_MSGID";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
+ name = "FORGED_MUA_MOZILLA_MAIL_MSGID";
+ }
+ symbol {
+ weight = 2.500000;
+ description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
+ name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
+ name = "FORGED_MUA_THUNDERBIRD_MSGID";
+ }
+ symbol {
+ weight = 2.500000;
+ description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
+ name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
+ name = "FORGED_MUA_SEAMONKEY_MSGID";
+ }
+ symbol {
+ weight = 2.500000;
+ description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
+ name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Forged outlook MUA";
+ name = "FORGED_MUA_OUTLOOK";
+ }
+ }
+ symbol {
+ weight = 0.0;
+ description = "Avoid false positives for FORGED_MUA_* in maillist";
+ name = "FORGED_MUA_MAILLIST";
+ }
+
+ group {
+ name = "body";
+ symbol {
+ weight = 9.0;
+ description = "White color on white background in HTML messages";
+ name = "R_WHITE_ON_WHITE";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Short html part with a link to an image";
+ name = "HTML_SHORT_LINK_IMG_2";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Suspicious boundary in header Content-Type";
+ name = "SUSPICIOUS_BOUNDARY";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Suspicious boundary in header Content-Type";
+ name = "SUSPICIOUS_BOUNDARY2";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Suspicious boundary in header Content-Type";
+ name = "SUSPICIOUS_BOUNDARY3";
+ }
+ symbol {
+ weight = 4.0;
+ description = "Suspicious boundary in header Content-Type";
+ name = "SUSPICIOUS_BOUNDARY4";
+ }
+ symbol {
+ weight = 3.0;
+ description = "Text and HTML parts differ";
+ name = "R_PARTS_DIFFER";
+ }
+
+ symbol {
+ weight = 2.0;
+ description = "Message contains empty parts and image ";
+ name = "R_EMPTY_IMAGE";
+ }
+ symbol {
+ weight = 2.0;
+ description = "Drugs patterns inside message";
+ name = "DRUGS_MANYKINDS";
+ }
+ symbol {
+ weight = 2.0;
+ description = "";
+ name = "DRUGS_ANXIETY";
+ }
+ symbol {
+ weight = 2.0;
+ description = "";
+ name = "DRUGS_MUSCLE";
+ }
+ symbol {
+ weight = 2.0;
+ description = "";
+ name = "DRUGS_ANXIETY_EREC";
+ }
+ symbol {
+ weight = 2.0;
+ description = "";
+ name = "DRUGS_DIET";
+ }
+ symbol {
+ weight = 2.0;
+ description = "";
+ name = "DRUGS_ERECTILE";
+ }
+ symbol {
+ weight = 3.300000;
+ description = "2 'advance fee' patterns in a message";
+ name = "ADVANCE_FEE_2";
+ }
+ symbol {
+ weight = 2.120000;
+ description = "3 'advance fee' patterns in a message";
+ name = "ADVANCE_FEE_3";
+ }
+ symbol {
+ weight = 8.0;
+ description = "Lotto signatures";
+ name = "R_LOTTO";
+ }
+ }
+
+ group {
+ name = "rbl";
+ symbol {
+ name = "DNSWL_BLOCKED";
+ weight = 0.0;
+ description = "Resolver blocked due to excessive queries";
+ }
+ symbol {
+ name = "RCVD_IN_DNSWL";
+ weight = 0.0;
+ description = "Sender listed at http://www.dnswl.org";
+ }
+ symbol {
+ name = "RCVD_IN_DNSWL_NONE";
+ weight = -0.05;
+ description = "Sender listed at http://www.dnswl.org, low none";
+ }
+ symbol {
+ name = "RCVD_IN_DNSWL_LOW";
+ weight = -0.1;
+ description = "Sender listed at http://www.dnswl.org, low trust";
+ }
+ symbol {
+ name = "RCVD_IN_DNSWL_MED";
+ weight = -1.0;
+ description = "Sender listed at http://www.dnswl.org, medium trust";
+ }
+ symbol {
+ name = "RCVD_IN_DNSWL_HI";
+ weight = -5.0;
+ description = "Sender listed at http://www.dnswl.org, high trust";
+ }
+
+ symbol {
+ name = "RBL_SPAMHAUS";
+ weight = 0.0;
+ description = "From address is listed in zen";
+ }
+ symbol {
+ name = "RBL_SPAMHAUS_SBL";
+ weight = 2.0;
+ description = "From address is listed in zen sbl";
+ }
+ symbol {
+ name = "RBL_SPAMHAUS_CSS";
+ weight = 2.0;
+ description = "From address is listed in zen css";
+ }
+ symbol {
+ name = "RBL_SPAMHAUS_XBL";
+ weight = 4.0;
+ description = "From address is listed in zen xbl";
+ }
+ symbol {
+ name = "RBL_SPAMHAUS_PBL";
+ weight = 2.0;
+ description = "From address is listed in zen pbl";
+ }
+ symbol {
+ name = "RECEIVED_SPAMHAUS_XBL";
+ weight = 3.0;
+ description = "Received address is listed in zen pbl";
+ one_shot = true;
+ }
+
+ symbol {
+ name = "RWL_SPAMHAUS_WL";
+ weight = 0.0;
+ description = "Sender listed at Spamhaus whitelist";
+ }
+ symbol {
+ name = "RWL_SPAMHAUS_WL_IND";
+ weight = 0.0;
+ description = "Sender listed at Spamhaus whitelist";
+ }
+ symbol {
+ name = "RWL_SPAMHAUS_WL_TRANS";
+ weight = 0.0;
+ description = "Sender listed at Spamhaus whitelist";
+ }
+ symbol {
+ name = "RWL_SPAMHAUS_WL_IND_EXP";
+ weight = 0.0;
+ description = "Sender listed at Spamhaus whitelist";
+ }
+ symbol {
+ name = "RWL_SPAMHAUS_WL_TRANS_EXP";
+ weight = 0.0;
+ description = "Sender listed at Spamhaus whitelist";
+ }
+
+ symbol {
+ weight = 2.0;
+ description = "From address is listed in senderscore.com BL";
+ name = "RBL_SENDERSCORE";
+ }
+ symbol {
+ weight = 1.0;
+ description = "From address is listed in ABUSE.CH BL";
+ name = "RBL_ABUSECH";
+ }
+ symbol {
+ weight = 1.0;
+ description = "From address is listed in UCEPROTECT LEVEL1 BL";
+ name = "RBL_UCEPROTECT_LEVEL1";
+ }
+
+ symbol {
+ name = "RBL_MAILSPIKE_ZOMBIE";
+ weight = 2.0;
+ description = "From address is listed in RBL";
+ }
+ symbol {
+ name = "RBL_MAILSPIKE_WORST";
+ weight = 2.0;
+ description = "From address is listed in RBL";
+ }
+ symbol {
+ name = "RBL_MAILSPIKE_VERYBAD";
+ weight = 1.5;
+ description = "From address is listed in RBL";
+ }
+ symbol {
+ name = "RBL_MAILSPIKE_BAD";
+ weight = 1.0;
+ description = "From address is listed in RBL";
+ }
+ symbol {
+ name = "RWL_MAILSPIKE_POSSIBLE";
+ weight = 0.0;
+ description = "From address is listed in RWL";
+ }
+ symbol {
+ name = "RWL_MAILSPIKE_GOOD";
+ weight = 0.0;
+ description = "From address is listed in RWL";
+ }
+ symbol {
+ name = "RWL_MAILSPIKE_VERYGOOD";
+ weight = 0.0;
+ description = "From address is listed in RWL";
+ }
+ symbol {
+ name = "RWL_MAILSPIKE_EXCELLENT";
+ weight = 0.0;
+ description = "From address is listed in RWL";
+ }
+
+ symbol {
+ weight = 1.0;
+ name = "RBL_SORBS";
+ description = "From address is listed in SORBS RBL";
+ }
+ symbol {
+ weight = 2.5;
+ name = "RBL_SORBS_HTTP";
+ description = "List of Open HTTP Proxy Servers.";
+ }
+ symbol {
+ weight = 2.5;
+ name = "RBL_SORBS_SOCKS";
+ description = "List of Open SOCKS Proxy Servers.";
+ }
+ symbol {
+ weight = 1.0;
+ name = "RBL_SORBS_MISC";
+ description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";
+ }
+ symbol {
+ weight = 3.0;
+ name = "RBL_SORBS_SMTP";
+ description = "List of Open SMTP relay servers.";
+ }
+ symbol {
+ weight = 1.5;
+ name = "RBL_SORBS_RECENT";
+ description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";
+ }
+ symbol {
+ weight = 0.4;
+ name = "RBL_SORBS_WEB";
+ description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";
+ }
+ symbol {
+ weight = 2.0;
+ name = "RBL_SORBS_DUL";
+ description = "Dynamic IP Address ranges (NOT a Dial Up list!)";
+ }
+ symbol {
+ weight = 1.0;
+ name = "RBL_SORBS_BLOCK";
+ description = "List of hosts demanding that they never be tested by SORBS.";
+ }
+ symbol {
+ weight = 1.0;
+ name = "RBL_SORBS_ZOMBIE";
+ description = "List of networks hijacked from their original owners, some of which have already used for spamming.";
+ }
+
+ symbol {
+ weight = 1.0;
+ name = "RBL_SEM";
+ description = "Address is listed in Spameatingmonkey RBL";
+ }
+
+ symbol {
+ weight = 1.0;
+ name = "RBL_SEM_IPV6";
+ description = "Address is listed in Spameatingmonkey RBL (ipv6)";
+ }
}
-
+
group {
- name = "mua";
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- name = "FORGED_MUA_THEBAT_MSGID";
- }
- symbol {
- weight = 3.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";
- }
- symbol {
- weight = 3.0;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- name = "FORGED_MUA_KMAIL_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from Opera Mail but has forged Message-ID";
- name = "FORGED_MUA_OPERA_MSGID";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
- name = "SUSPICIOUS_OPERA_10W_MSGID";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- name = "FORGED_MUA_MOZILLA_MAIL_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- name = "FORGED_MUA_THUNDERBIRD_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- name = "FORGED_MUA_SEAMONKEY_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";
- }
- symbol {
- weight = 3.0;
- description = "Forged outlook MUA";
- name = "FORGED_MUA_OUTLOOK";
- }
+ name = "bayes";
+
+ symbol {
+ weight = 3.0;
+ description = "Message probably spam, probability: ";
+ name = "BAYES_SPAM";
+ }
+ symbol {
+ weight = -3.0;
+ description = "Message probably ham, probability: ";
+ name = "BAYES_HAM";
+ }
}
+
+ group {
+ name = "fuzzy";
+ symbol {
+ weight = 5.0;
+ description = "Generic fuzzy hash match";
+ name = "FUZZY_UNKNOWN";
+ }
+ symbol {
+ weight = 10.0;
+ description = "Denied fuzzy hash";
+ name = "FUZZY_DENIED";
+ }
+ symbol {
+ weight = 5.0;
+ description = "Probable fuzzy hash";
+ name = "FUZZY_PROB";
+ }
symbol {
- weight = 0.0;
- description = "Avoid false positives for FORGED_MUA_* in maillist";
- name = "FORGED_MUA_MAILLIST";
- }
-
- group {
- name = "body";
- symbol {
- weight = 9.0;
- description = "White color on white background in HTML messages";
- name = "R_WHITE_ON_WHITE";
- }
- symbol {
- weight = 3.0;
- description = "Short html part with a link to an image";
- name = "HTML_SHORT_LINK_IMG_2";
- }
- symbol {
- weight = 5.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY";
- }
- symbol {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY2";
- }
- symbol {
- weight = 3.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY3";
- }
- symbol {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY4";
- }
- symbol {
- weight = 3.0;
- description = "Text and HTML parts differ";
- name = "R_PARTS_DIFFER";
- }
-
- symbol {
- weight = 2.0;
- description = "Message contains empty parts and image ";
- name = "R_EMPTY_IMAGE";
- }
- symbol {
- weight = 2.0;
- description = "Drugs patterns inside message";
- name = "DRUGS_MANYKINDS";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ANXIETY";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_MUSCLE";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ANXIETY_EREC";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_DIET";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ERECTILE";
- }
- symbol {
- weight = 3.300000;
- description = "2 'advance fee' patterns in a message";
- name = "ADVANCE_FEE_2";
- }
- symbol {
- weight = 2.120000;
- description = "3 'advance fee' patterns in a message";
- name = "ADVANCE_FEE_3";
- }
- symbol {
- weight = 8.0;
- description = "Lotto signatures";
- name = "R_LOTTO";
- }
+ weight = -2.1;
+ description = "Whitelisted fuzzy hash";
+ name = "FUZZY_WHITE";
+ }
}
-
+
group {
- name = "rbl";
- symbol { name = "DNSWL_BLOCKED"; weight = 0.0; description = "Resolver blocked due to excessive queries"; }
- symbol { name = "RCVD_IN_DNSWL"; weight = 0.0; description = "Sender listed at http://www.dnswl.org"; }
- symbol { name = "RCVD_IN_DNSWL_NONE"; weight = -0.05; description = "Sender listed at http://www.dnswl.org, low none"; }
- symbol { name = "RCVD_IN_DNSWL_LOW"; weight = -0.1; description = "Sender listed at http://www.dnswl.org, low trust"; }
- symbol { name = "RCVD_IN_DNSWL_MED"; weight = -1.0; description = "Sender listed at http://www.dnswl.org, medium trust"; }
- symbol { name = "RCVD_IN_DNSWL_HI"; weight = -5.0; description = "Sender listed at http://www.dnswl.org, high trust"; }
-
- symbol { name = "RBL_SPAMHAUS"; weight = 0.0; description = "From address is listed in zen"; }
- symbol { name = "RBL_SPAMHAUS_SBL"; weight = 2.0; description = "From address is listed in zen sbl"; }
- symbol { name = "RBL_SPAMHAUS_CSS"; weight = 2.0; description = "From address is listed in zen css"; }
- symbol { name = "RBL_SPAMHAUS_XBL"; weight = 4.0; description = "From address is listed in zen xbl"; }
- symbol { name = "RBL_SPAMHAUS_PBL"; weight = 2.0; description = "From address is listed in zen pbl"; }
- symbol { name = "RECEIVED_SPAMHAUS_XBL"; weight = 3.0; description = "Received address is listed in zen pbl"; one_shot = true; }
-
- symbol { name = "RWL_SPAMHAUS_WL"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; }
- symbol { name = "RWL_SPAMHAUS_WL_IND"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; }
- symbol { name = "RWL_SPAMHAUS_WL_TRANS"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; }
- symbol { name = "RWL_SPAMHAUS_WL_IND_EXP"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; }
- symbol { name = "RWL_SPAMHAUS_WL_TRANS_EXP"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; }
-
- symbol {
- weight = 2.0;
- description = "From address is listed in senderscore.com BL";
- name = "RBL_SENDERSCORE";
- }
- symbol {
- weight = 1.0;
- description = "From address is listed in ABUSE.CH BL";
- name = "RBL_ABUSECH";
- }
- symbol {
- weight = 1.0;
- description = "From address is listed in UCEPROTECT LEVEL1 BL";
- name = "RBL_UCEPROTECT_LEVEL1";
- }
-
- symbol { name = "RBL_MAILSPIKE_ZOMBIE"; weight = 2.0; description = "From address is listed in RBL"; }
- symbol { name = "RBL_MAILSPIKE_WORST"; weight = 2.0; description = "From address is listed in RBL"; }
- symbol { name = "RBL_MAILSPIKE_VERYBAD"; weight = 1.5; description = "From address is listed in RBL"; }
- symbol { name = "RBL_MAILSPIKE_BAD"; weight = 1.0; description = "From address is listed in RBL"; }
- symbol { name = "RWL_MAILSPIKE_POSSIBLE"; weight = 0.0; description = "From address is listed in RWL"; }
- symbol { name = "RWL_MAILSPIKE_GOOD"; weight = 0.0; description = "From address is listed in RWL"; }
- symbol { name = "RWL_MAILSPIKE_VERYGOOD"; weight = 0.0; description = "From address is listed in RWL"; }
- symbol { name = "RWL_MAILSPIKE_EXCELLENT"; weight = 0.0; description = "From address is listed in RWL"; }
-
- symbol {
- weight = 1.0;
- name = "RBL_SORBS";
- description = "From address is listed in SORBS RBL";
- }
- symbol {
- weight = 2.5;
- name = "RBL_SORBS_HTTP";
- description = "List of Open HTTP Proxy Servers.";
- }
- symbol {
- weight = 2.5;
- name = "RBL_SORBS_SOCKS";
- description = "List of Open SOCKS Proxy Servers.";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_MISC";
- description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";
- }
- symbol {
- weight = 3.0;
- name = "RBL_SORBS_SMTP";
- description = "List of Open SMTP relay servers.";
- }
- symbol {
- weight = 1.5;
- name = "RBL_SORBS_RECENT";
- description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";
- }
- symbol {
- weight = 0.4;
- name = "RBL_SORBS_WEB";
- description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";
- }
- symbol {
- weight = 2.0;
- name = "RBL_SORBS_DUL";
- description = "Dynamic IP Address ranges (NOT a Dial Up list!)";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_BLOCK";
- description = "List of hosts demanding that they never be tested by SORBS.";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_ZOMBIE";
- description = "List of networks hijacked from their original owners, some of which have already used for spamming.";
- }
-
- symbol {
- weight = 1.0;
- name = "RBL_SEM";
- description = "Address is listed in Spameatingmonkey RBL";
- }
-
- symbol {
- weight = 1.0;
- name = "RBL_SEM_IPV6";
- description = "Address is listed in Spameatingmonkey RBL (ipv6)";
- }
- }
-
- group {
- name = "bayes";
-
- symbol {
- weight = 3.0;
- description = "Message probably spam, probability: ";
- name = "BAYES_SPAM";
- }
- symbol {
- weight = -3.0;
- description = "Message probably ham, probability: ";
- name = "BAYES_HAM";
- }
- }
-
- group {
- name = "fuzzy";
- symbol {
- weight = 5.0;
- description = "Generic fuzzy hash match";
- name = "FUZZY_UNKNOWN";
- }
- symbol {
- weight = 10.0;
- description = "Denied fuzzy hash";
- name = "FUZZY_DENIED";
- }
- symbol {
- weight = 5.0;
- description = "Probable fuzzy hash";
- name = "FUZZY_PROB";
- }
- symbol {
- weight = -2.1;
- description = "Whitelisted fuzzy hash";
- name = "FUZZY_WHITE";
- }
- }
-
- group {
- name = "spf";
- symbol {
- weight = 1.0;
- description = "SPF verification failed";
- name = "R_SPF_FAIL";
- }
- symbol {
- weight = 0.0;
- description = "SPF verification soft-failed";
- name = "R_SPF_SOFTFAIL";
- }
- symbol {
- weight = 0.0;
- description = "SPF policy is neutral";
- name = "R_SPF_NEUTRAL";
- }
- symbol {
- weight = -1.1;
- description = "SPF verification alowed";
- name = "R_SPF_ALLOW";
- }
- }
-
- group {
- name = "dkim";
- symbol {
- weight = 1.0;
- description = "DKIM verification failed";
- name = "R_DKIM_REJECT";
- }
- symbol {
- weight = 0.0;
- description = "DKIM verification soft-failed";
- name = "R_DKIM_TEMPFAIL";
- }
- symbol {
- weight = -1.1;
- description = "DKIM verification succeed";
- name = "R_DKIM_ALLOW";
- }
- }
-
+ name = "spf";
+ symbol {
+ weight = 1.0;
+ description = "SPF verification failed";
+ name = "R_SPF_FAIL";
+ }
+ symbol {
+ weight = 0.0;
+ description = "SPF verification soft-failed";
+ name = "R_SPF_SOFTFAIL";
+ }
+ symbol {
+ weight = 0.0;
+ description = "SPF policy is neutral";
+ name = "R_SPF_NEUTRAL";
+ }
+ symbol {
+ weight = -1.1;
+ description = "SPF verification alowed";
+ name = "R_SPF_ALLOW";
+ }
+ }
+
group {
- name = "surbl";
- symbol {
- weight = 5.500000;
- description = "SURBL: Phishing sites";
- name = "PH_SURBL_MULTI";
- }
- symbol {
- weight = 5.500000;
- description = "SURBL: Malware sites";
- name = "MW_SURBL_MULTI";
- }
- symbol {
- weight = 5.500000;
- description = "SURBL: AbuseButler web sites";
- name = "AB_SURBL_MULTI";
- }
- symbol {
- weight = 5.500000;
- description = "SURBL: SpamCop web sites";
- name = "SC_SURBL_MULTI";
- }
- symbol {
- weight = 5.500000;
- description = "SURBL: jwSpamSpy + Prolocation sites";
- name = "JP_SURBL_MULTI";
- }
- symbol {
- weight = 5.500000;
- description = "SURBL: sa-blacklist web sites ";
- name = "WS_SURBL_MULTI";
- }
- symbol {
- weight = 4.500000;
- description = "rambler.ru uribl";
- name = "RAMBLER_URIBL";
- }
-
- symbol { weight = 0.0; name = "SEM_URIBL_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; }
- symbol { weight = 3.5; name = "SEM_URIBL"; description = "Spameatingmonkey uribl"; }
-
- symbol { weight = 0.0; name = "SEM_URIBL_FRESH15_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; }
- symbol { weight = 3.0; name = "SEM_URIBL_FRESH15"; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; }
-
- symbol {
- weight = 0.000000;
- description = "DBL uribl unknown symbol (error)";
- name = "DBL";
- }
- symbol {
- weight = 6.500000;
- description = "DBL uribl spam";
- name = "DBL_SPAM";
- }
- symbol {
- weight = 6.500000;
- description = "DBL uribl phishing";
- name = "DBL_PHISH";
- }
- symbol {
- weight = 6.500000;
- description = "DBL uribl malware";
- name = "DBL_MALWARE";
- }
- symbol {
- weight = 5.500000;
- description = "DBL uribl botnet C&C domain";
- name = "DBL_BOTNET";
- }
- symbol {
- weight = 6.500000;
- description = "DBL uribl abused legit spam";
- name = "DBL_ABUSE";
- }
- symbol {
- weight = 7.500000;
- description = "DBL uribl abused spammed redirector domain";
- name = "DBL_ABUSE_REDIR";
- }
- symbol {
- weight = 7.500000;
- description = "DBL uribl abused legit phish";
- name = "DBL_ABUSE_PHISH";
- }
- symbol {
- weight = 7.500000;
- description = "DBL uribl abused legit malware";
- name = "DBL_ABUSE_MALWARE";
- }
- symbol {
- weight = 5.500000;
- description = "DBL uribl abused legit botnet C&C";
- name = "DBL_ABUSE_BOTNET";
- }
- symbol {
- weight = 0.00000;
- description = "DBL uribl IP queries prohibited!";
- name = "DBL_PROHIBIT";
- }
- symbol {
- weight = 7.5;
- description = "uribl.com black url";
- name = "URIBL_BLACK";
- }
- symbol {
- weight = 3.5;
- description = "uribl.com red url";
- name = "URIBL_RED";
- }
- symbol {
- weight = 1.5;
- description = "uribl.com grey url";
- name = "URIBL_GREY";
- }
- symbol {
- weight = 9.500000;
- description = "rambler.ru emailbl";
- name = "RAMBLER_EMAILBL";
- }
+ name = "dkim";
+ symbol {
+ weight = 1.0;
+ description = "DKIM verification failed";
+ name = "R_DKIM_REJECT";
+ }
+ symbol {
+ weight = 0.0;
+ description = "DKIM verification soft-failed";
+ name = "R_DKIM_TEMPFAIL";
+ }
+ symbol {
+ weight = -1.1;
+ description = "DKIM verification succeed";
+ name = "R_DKIM_ALLOW";
+ }
}
-
+
group {
- name = "phishing";
-
- symbol {
- weight = 5.0;
- description = "Phished mail";
- name = "PHISHING";
- }
+ name = "surbl";
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: Phishing sites";
+ name = "PH_SURBL_MULTI";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: Malware sites";
+ name = "MW_SURBL_MULTI";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: AbuseButler web sites";
+ name = "AB_SURBL_MULTI";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: SpamCop web sites";
+ name = "SC_SURBL_MULTI";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: jwSpamSpy + Prolocation sites";
+ name = "JP_SURBL_MULTI";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "SURBL: sa-blacklist web sites ";
+ name = "WS_SURBL_MULTI";
+ }
+ symbol {
+ weight = 4.500000;
+ description = "rambler.ru uribl";
+ name = "RAMBLER_URIBL";
+ }
+
+ symbol {
+ weight = 0.0;
+ name = "SEM_URIBL_UNKNOWN";
+ description = "Spameatingmonkey uribl unknown";
+ }
+ symbol {
+ weight = 3.5;
+ name = "SEM_URIBL";
+ description = "Spameatingmonkey uribl";
+ }
+
+ symbol {
+ weight = 0.0;
+ name = "SEM_URIBL_FRESH15_UNKNOWN";
+ description = "Spameatingmonkey uribl unknown";
+ }
+ symbol {
+ weight = 3.0;
+ name = "SEM_URIBL_FRESH15";
+ description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
+ }
+
+ symbol {
+ weight = 0.000000;
+ description = "DBL uribl unknown symbol (error)";
+ name = "DBL";
+ }
+ symbol {
+ weight = 6.500000;
+ description = "DBL uribl spam";
+ name = "DBL_SPAM";
+ }
+ symbol {
+ weight = 6.500000;
+ description = "DBL uribl phishing";
+ name = "DBL_PHISH";
+ }
+ symbol {
+ weight = 6.500000;
+ description = "DBL uribl malware";
+ name = "DBL_MALWARE";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "DBL uribl botnet C&C domain";
+ name = "DBL_BOTNET";
+ }
+ symbol {
+ weight = 6.500000;
+ description = "DBL uribl abused legit spam";
+ name = "DBL_ABUSE";
+ }
+ symbol {
+ weight = 7.500000;
+ description = "DBL uribl abused spammed redirector domain";
+ name = "DBL_ABUSE_REDIR";
+ }
+ symbol {
+ weight = 7.500000;
+ description = "DBL uribl abused legit phish";
+ name = "DBL_ABUSE_PHISH";
+ }
+ symbol {
+ weight = 7.500000;
+ description = "DBL uribl abused legit malware";
+ name = "DBL_ABUSE_MALWARE";
+ }
+ symbol {
+ weight = 5.500000;
+ description = "DBL uribl abused legit botnet C&C";
+ name = "DBL_ABUSE_BOTNET";
+ }
+ symbol {
+ weight = 0.00000;
+ description = "DBL uribl IP queries prohibited!";
+ name = "DBL_PROHIBIT";
+ }
+ symbol {
+ weight = 7.5;
+ description = "uribl.com black url";
+ name = "URIBL_BLACK";
+ }
+ symbol {
+ weight = 3.5;
+ description = "uribl.com red url";
+ name = "URIBL_RED";
+ }
+ symbol {
+ weight = 1.5;
+ description = "uribl.com grey url";
+ name = "URIBL_GREY";
+ }
+ symbol {
+ weight = 9.500000;
+ description = "rambler.ru emailbl";
+ name = "RAMBLER_EMAILBL";
+ }
}
-
- group {
- name = "date";
-
- symbol {
- weight = 4.0;
- description = "Message date is in future";
- name = "DATE_IN_FUTURE";
- }
- symbol {
- weight = 1.0;
- description = "Message date is in past";
- name = "DATE_IN_PAST";
- }
- symbol {
- weight = 1.0;
- description = "Message date is missing";
- name = "MISSING_DATE";
- }
+
+ group {
+ name = "phishing";
+
+ symbol {
+ weight = 5.0;
+ description = "Phished mail";
+ name = "PHISHING";
+ }
}
-
- group {
- name = "hfilter";
-
- symbol { weight = 4.00; name = "HFILTER_HELO_BAREIP"; description = "Helo host is bare ip"; }
- symbol { weight = 4.50; name = "HFILTER_HELO_BADIP"; description = "Helo host is very bad ip"; }
- symbol { weight = 4.00; name = "HFILTER_HELO_UNKNOWN"; description = "Helo host empty or unknown"; }
- symbol { weight = 1.00; name = "HFILTER_HELO_1"; description = "Helo host checks (very low)"; }
- symbol { weight = 2.00; name = "HFILTER_HELO_2"; description = "Helo host checks (low)"; }
- symbol { weight = 3.00; name = "HFILTER_HELO_3"; description = "Helo host checks (medium)"; }
- symbol { weight = 3.50; name = "HFILTER_HELO_4"; description = "Helo host checks (hard)"; }
- symbol { weight = 4.00; name = "HFILTER_HELO_5"; description = "Helo host checks (very hard)"; }
- symbol { weight = 1.00; name = "HFILTER_HOSTNAME_1"; description = "Hostname checks (very low)"; }
- symbol { weight = 2.00; name = "HFILTER_HOSTNAME_2"; description = "Hostname checks (low)"; }
- symbol { weight = 3.00; name = "HFILTER_HOSTNAME_3"; description = "Hostname checks (medium)"; }
- symbol { weight = 3.50; name = "HFILTER_HOSTNAME_4"; description = "Hostname checks (hard)"; }
- symbol { weight = 4.00; name = "HFILTER_HOSTNAME_5"; description = "Hostname checks (very hard)"; }
- symbol { weight = 1.50; name = "HFILTER_HELO_NORESOLVE_MX"; description = "MX found in Helo and no resolve"; }
- symbol { weight = 2.00; name = "HFILTER_HELO_NORES_A_OR_MX"; description = "Helo no resolve to A or MX"; }
- symbol { weight = 1.00; name = "HFILTER_HELO_IP_A"; description = "Helo A IP != hostname IP"; }
- symbol { weight = 3.00; name = "HFILTER_HELO_NOT_FQDN"; description = "Helo not FQDN"; }
- symbol { weight = 1.50; name = "HFILTER_FROMHOST_NORESOLVE_MX"; description = "MX found in FROM host and no resolve"; }
- symbol { weight = 3.50; name = "HFILTER_FROMHOST_NORES_A_OR_MX"; description = "FROM host no resolve to A or MX"; }
- symbol { weight = 4.00; name = "HFILTER_FROMHOST_NOT_FQDN"; description = "FROM host not FQDN"; }
- symbol { weight = 0.00; name = "HFILTER_FROM_BOUNCE"; description = "Bounce message"; }
- symbol { weight = 0.50; name = "HFILTER_MID_NORESOLVE_MX"; description = "MX found in Message-id host and no resolve"; }
- symbol { weight = 0.50; name = "HFILTER_MID_NORES_A_OR_MX"; description = "Message-id host no resolve to A or MX"; }
- symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; }
- symbol { weight = 4.00; name = "HFILTER_HOSTNAME_UNKNOWN"; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; }
- symbol { weight = 1.50; name = "HFILTER_RCPT_BOUNCEMOREONE"; description = "Message from bounce and over 1 recepient"; }
- symbol { weight = 3.50; name = "HFILTER_URL_ONLY"; description = "URL only in body"; }
- symbol { weight = 2.20; name = "HFILTER_URL_ONELINE"; description = "One line URL and text in body"; }
+
+ group {
+ name = "date";
+
+ symbol {
+ weight = 4.0;
+ description = "Message date is in future";
+ name = "DATE_IN_FUTURE";
+ }
+ symbol {
+ weight = 1.0;
+ description = "Message date is in past";
+ name = "DATE_IN_PAST";
}
+ symbol {
+ weight = 1.0;
+ description = "Message date is missing";
+ name = "MISSING_DATE";
+ }
+ }
+
+ group {
+ name = "hfilter";
+
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_HELO_BAREIP";
+ description = "Helo host is bare ip";
+ }
+ symbol {
+ weight = 4.50;
+ name = "HFILTER_HELO_BADIP";
+ description = "Helo host is very bad ip";
+ }
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_HELO_UNKNOWN";
+ description = "Helo host empty or unknown";
+ }
+ symbol {
+ weight = 1.00;
+ name = "HFILTER_HELO_1";
+ description = "Helo host checks (very low)";
+ }
+ symbol {
+ weight = 2.00;
+ name = "HFILTER_HELO_2";
+ description = "Helo host checks (low)";
+ }
+ symbol {
+ weight = 3.00;
+ name = "HFILTER_HELO_3";
+ description = "Helo host checks (medium)";
+ }
+ symbol {
+ weight = 3.50;
+ name = "HFILTER_HELO_4";
+ description = "Helo host checks (hard)";
+ }
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_HELO_5";
+ description = "Helo host checks (very hard)";
+ }
+ symbol {
+ weight = 1.00;
+ name = "HFILTER_HOSTNAME_1";
+ description = "Hostname checks (very low)";
+ }
+ symbol {
+ weight = 2.00;
+ name = "HFILTER_HOSTNAME_2";
+ description = "Hostname checks (low)";
+ }
+ symbol {
+ weight = 3.00;
+ name = "HFILTER_HOSTNAME_3";
+ description = "Hostname checks (medium)";
+ }
+ symbol {
+ weight = 3.50;
+ name = "HFILTER_HOSTNAME_4";
+ description = "Hostname checks (hard)";
+ }
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_HOSTNAME_5";
+ description = "Hostname checks (very hard)";
+ }
+ symbol {
+ weight = 1.50;
+ name = "HFILTER_HELO_NORESOLVE_MX";
+ description = "MX found in Helo and no resolve";
+ }
+ symbol {
+ weight = 2.00;
+ name = "HFILTER_HELO_NORES_A_OR_MX";
+ description = "Helo no resolve to A or MX";
+ }
+ symbol {
+ weight = 1.00;
+ name = "HFILTER_HELO_IP_A";
+ description = "Helo A IP != hostname IP";
+ }
+ symbol {
+ weight = 3.00;
+ name = "HFILTER_HELO_NOT_FQDN";
+ description = "Helo not FQDN";
+ }
+ symbol {
+ weight = 1.50;
+ name = "HFILTER_FROMHOST_NORESOLVE_MX";
+ description = "MX found in FROM host and no resolve";
+ }
+ symbol {
+ weight = 3.50;
+ name = "HFILTER_FROMHOST_NORES_A_OR_MX";
+ description = "FROM host no resolve to A or MX";
+ }
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_FROMHOST_NOT_FQDN";
+ description = "FROM host not FQDN";
+ }
+ symbol {
+ weight = 0.00;
+ name = "HFILTER_FROM_BOUNCE";
+ description = "Bounce message";
+ }
+ symbol {
+ weight = 0.50;
+ name = "HFILTER_MID_NORESOLVE_MX";
+ description = "MX found in Message-id host and no resolve";
+ }
+ symbol {
+ weight = 0.50;
+ name = "HFILTER_MID_NORES_A_OR_MX";
+ description = "Message-id host no resolve to A or MX";
+ }
+ symbol {
+ weight = 0.50;
+ name = "HFILTER_MID_NOT_FQDN";
+ description = "Message-id host not FQDN";
+ }
+ symbol {
+ weight = 4.00;
+ name = "HFILTER_HOSTNAME_UNKNOWN";
+ description = "Unknown hostname (no PTR or no resolve PTR to hostname)";
+ }
+ symbol {
+ weight = 1.50;
+ name = "HFILTER_RCPT_BOUNCEMOREONE";
+ description = "Message from bounce and over 1 recepient";
+ }
+ symbol {
+ weight = 3.50;
+ name = "HFILTER_URL_ONLY";
+ description = "URL only in body";
+ }
+ symbol {
+ weight = 2.20;
+ name = "HFILTER_URL_ONELINE";
+ description = "One line URL and text in body";
+ }
+ }
}
# Rspamd modules configuration
+
fuzzy_check {
min_bytes = 300;
- rule {
- servers = "highsecure.ru:11335";
- symbol = "FUZZY_UNKNOWN";
- mime_types = "application/pdf";
- max_score = 20.0;
- read_only = yes;
- skip_unknown = yes;
- fuzzy_map = {
- FUZZY_DENIED {
- max_score = 20.0;
- flag = 1
- }
- FUZZY_PROB {
- max_score = 10.0;
- flag = 2
- }
- FUZZY_WHITE {
- max_score = 2.0;
- flag = 3
- }
- }
- }
+ rule {
+ servers = "highsecure.ru:11335";
+ symbol = "FUZZY_UNKNOWN";
+ mime_types = "application/pdf";
+ max_score = 20.0;
+ read_only = yes;
+ skip_unknown = yes;
+ fuzzy_map = {
+ FUZZY_DENIED {
+ max_score = 20.0;
+ flag = 1;
+ }
+ FUZZY_PROB {
+ max_score = 10.0;
+ flag = 2;
+ }
+ FUZZY_WHITE {
+ max_score = 2.0;
+ flag = 3;
+ }
+ }
+ }
}
+
forged_recipients {
symbol_sender = "FORGED_SENDER";
symbol_rcpt = "FORGED_RECIPIENTS";
}
+
maillist {
symbol = "MAILLIST";
}
+
surbl {
whitelist = "file://$CONFDIR/surbl-whitelist.inc";
exceptions = "file://$CONFDIR/2tld.inc";
symbol = "DBL";
options = "noip";
ips = {
- DBL_SPAM = "127.0.1.2"; # spam domain
- DBL_PHISH = "127.0.1.4"; # phish domain
- DBL_MALWARE = "127.0.1.5"; # malware domain
- DBL_BOTNET = "127.0.1.6"; # botnet C&C domain
- DBL_ABUSE = "127.0.1.102"; # abused legit spam
- DBL_ABUSE_REDIR = "127.0.1.103"; # abused spammed redirector domain
- DBL_ABUSE_PHISH = "127.0.1.104"; # abused legit phish
- DBL_ABUSE_MALWARE = "127.0.1.105"; # abused legit malware
- DBL_ABUSE_BOTNET = "127.0.1.106"; # abused legit botnet C&C
- DBL_PROHIBIT = "127.0.1.255"; # IP queries prohibited!
+ # spam domain
+ DBL_SPAM = "127.0.1.2";
+ # phish domain
+ DBL_PHISH = "127.0.1.4";
+ # malware domain
+ DBL_MALWARE = "127.0.1.5";
+ # botnet C&C domain
+ DBL_BOTNET = "127.0.1.6";
+ # abused legit spam
+ DBL_ABUSE = "127.0.1.102";
+ # abused spammed redirector domain
+ DBL_ABUSE_REDIR = "127.0.1.103";
+ # abused legit phish
+ DBL_ABUSE_PHISH = "127.0.1.104";
+ # abused legit malware
+ DBL_ABUSE_MALWARE = "127.0.1.105";
+ # abused legit botnet C&C
+ DBL_ABUSE_BOTNET = "127.0.1.106";
+ # error - IP queries prohibited!
+ DBL_PROHIBIT = "127.0.1.255";
}
}
rule {
options = "noip";
}
}
+
rbl {
- default_from = true;
- default_received = false;
- default_exclude_users = true;
-
- private_ips = "127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 100.64.0.0/10 fc00::/7 fe80::/10 fec0::/10 ::1";
-
- rbls {
-
- spamhaus {
- symbol = "RBL_SPAMHAUS";
- rbl = "zen.spamhaus.org";
- ipv6 = true;
- returncodes {
- RBL_SPAMHAUS_SBL = "127.0.0.2";
- RBL_SPAMHAUS_CSS = "127.0.0.3";
- RBL_SPAMHAUS_XBL = "127.0.0.4";
- RBL_SPAMHAUS_XBL = "127.0.0.5";
- RBL_SPAMHAUS_XBL = "127.0.0.6";
- RBL_SPAMHAUS_XBL = "127.0.0.7";
- RBL_SPAMHAUS_PBL = "127.0.0.10";
- RBL_SPAMHAUS_PBL = "127.0.0.11";
+ default_from = true;
+ default_received = false;
+ default_exclude_users = true;
+
+ private_ips = "127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 100.64.0.0/10 fc00::/7 fe80::/10 fec0::/10 ::1";
+
+ rbls {
+
+ spamhaus {
+ symbol = "RBL_SPAMHAUS";
+ rbl = "zen.spamhaus.org";
+ ipv6 = true;
+ returncodes {
+ RBL_SPAMHAUS_SBL = "127.0.0.2";
+ RBL_SPAMHAUS_CSS = "127.0.0.3";
+ RBL_SPAMHAUS_XBL = "127.0.0.4";
+ RBL_SPAMHAUS_XBL = "127.0.0.5";
+ RBL_SPAMHAUS_XBL = "127.0.0.6";
+ RBL_SPAMHAUS_XBL = "127.0.0.7";
+ RBL_SPAMHAUS_PBL = "127.0.0.10";
+ RBL_SPAMHAUS_PBL = "127.0.0.11";
+ }
}
- }
- spamhaus_xbl {
- symbol = "RECEIVED_SPAMHAUS_XBL";
- rbl = "xbl.spamhaus.org";
- ipv6 = true;
- received = true;
- from = false;
- }
-
- spamhaus_swl {
- symbol = "RWL_SPAMHAUS_WL";
- rbl = "swl.spamhaus.org";
- ipv6 = true;
- is_whitelist = true;
- returncodes {
- RWL_SPAMHAUS_WL_IND = "127.0.2.2";
- RWL_SPAMHAUS_WL_TRANS = "127.0.2.3";
- RWL_SPAMHAUS_WL_IND_EXP = "127.0.2.102";
- RWL_SPAMHAUS_WL_TRANS_EXP = "127.0.2.103";
+ spamhaus_xbl {
+ symbol = "RECEIVED_SPAMHAUS_XBL";
+ rbl = "xbl.spamhaus.org";
+ ipv6 = true;
+ received = true;
+ from = false;
}
- }
- mailspike_bl {
- rbl = "bl.mailspike.net";
- returncodes {
- RBL_MAILSPIKE_ZOMBIE = "127.0.0.2";
- RBL_MAILSPIKE_WORST = "127.0.0.10";
- RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
- RBL_MAILSPIKE_BAD = "127.0.0.12";
- }
- }
+ spamhaus_swl {
+ symbol = "RWL_SPAMHAUS_WL";
+ rbl = "swl.spamhaus.org";
+ ipv6 = true;
+ is_whitelist = true;
+ returncodes {
+ RWL_SPAMHAUS_WL_IND = "127.0.2.2";
+ RWL_SPAMHAUS_WL_TRANS = "127.0.2.3";
+ RWL_SPAMHAUS_WL_IND_EXP = "127.0.2.102";
+ RWL_SPAMHAUS_WL_TRANS_EXP = "127.0.2.103";
+ }
+ }
- mailspike_wl {
- rbl = "wl.mailspike.net";
- is_whitelist = true;
- returncodes {
- RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
- RWL_MAILSPIKE_GOOD = "127.0.0.18";
- RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
- RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
- }
- }
-
- senderscore {
- symbol = "RBL_SENDERSCORE";
- rbl = "bl.score.senderscore.com";
- }
-
- abusech {
- symbol = "RBL_ABUSECH";
- rbl = "spam.abuse.ch";
- }
-
- uceprotect1 {
- symbol = "RBL_UCEPROTECT_LEVEL1";
- rbl = "dnsbl-1.uceprotect.net";
- }
-
- sorbs {
- symbol = "RBL_SORBS";
- rbl = "dnsbl.sorbs.net";
- returncodes {
- #http://www.sorbs.net/general/using.shtml
- RBL_SORBS_HTTP = "127.0.0.2"
- RBL_SORBS_SOCKS = "127.0.0.3"
- RBL_SORBS_MISC = "127.0.0.4"
- RBL_SORBS_SMTP = "127.0.0.5"
- RBL_SORBS_RECENT = "127.0.0.6"
- RBL_SORBS_WEB = "127.0.0.7"
- RBL_SORBS_DUL = "127.0.0.10"
- RBL_SORBS_BLOCK = "127.0.0.8"
- RBL_SORBS_ZOMBIE = "127.0.0.9"
- }
- }
-
- sem {
- symbol = "RBL_SEM";
- rbl = "bl.spameatingmonkey.net";
- }
-
- semIPv6 {
- symbol = "RBL_SEM_IPV6";
- rbl = "bl.ipv6.spameatingmonkey.net";
- ipv4 = false;
- ipv6 = true;
- }
+ mailspike_bl {
+ rbl = "bl.mailspike.net";
+ returncodes {
+ RBL_MAILSPIKE_ZOMBIE = "127.0.0.2";
+ RBL_MAILSPIKE_WORST = "127.0.0.10";
+ RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
+ RBL_MAILSPIKE_BAD = "127.0.0.12";
+ }
+ }
- dnswl {
- symbol = "RCVD_IN_DNSWL";
- rbl = "list.dnswl.org";
- ipv6 = true;
- is_whitelist = true;
- returncodes {
- RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
- RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
- RCVD_IN_DNSWL_MED = "127.0.%d+.2";
- RCVD_IN_DNSWL_HI = "127.0.%d+.3";
- DNSWL_BLOCKED = "127.0.0.255";
+ mailspike_wl {
+ rbl = "wl.mailspike.net";
+ is_whitelist = true;
+ returncodes {
+ RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
+ RWL_MAILSPIKE_GOOD = "127.0.0.18";
+ RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
+ RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
+ }
}
- }
- rambleremails {
- symbol = RAMBLER_EMAILBL;
- rbl = email-bl.rambler.ru;
- from = false;
- emails = true;
- exclude_users = false;
- exclude_private_ips = false;
- exclude_local = false;
- ignore_whitelists = true;
- }
+ senderscore {
+ symbol = "RBL_SENDERSCORE";
+ rbl = "bl.score.senderscore.com";
+ }
+
+ abusech {
+ symbol = "RBL_ABUSECH";
+ rbl = "spam.abuse.ch";
+ }
+
+ uceprotect1 {
+ symbol = "RBL_UCEPROTECT_LEVEL1";
+ rbl = "dnsbl-1.uceprotect.net";
+ }
+
+ sorbs {
+ symbol = "RBL_SORBS";
+ rbl = "dnsbl.sorbs.net";
+ returncodes {
+ # http:// www.sorbs.net/general/using.shtml
+ RBL_SORBS_HTTP = "127.0.0.2";
+ RBL_SORBS_SOCKS = "127.0.0.3";
+ RBL_SORBS_MISC = "127.0.0.4";
+ RBL_SORBS_SMTP = "127.0.0.5";
+ RBL_SORBS_RECENT = "127.0.0.6";
+ RBL_SORBS_WEB = "127.0.0.7";
+ RBL_SORBS_DUL = "127.0.0.10";
+ RBL_SORBS_BLOCK = "127.0.0.8";
+ RBL_SORBS_ZOMBIE = "127.0.0.9";
+ }
+ }
+
+ sem {
+ symbol = "RBL_SEM";
+ rbl = "bl.spameatingmonkey.net";
+ }
- }
+ semIPv6 {
+ symbol = "RBL_SEM_IPV6";
+ rbl = "bl.ipv6.spameatingmonkey.net";
+ ipv4 = false;
+ ipv6 = true;
+ }
+
+ dnswl {
+ symbol = "RCVD_IN_DNSWL";
+ rbl = "list.dnswl.org";
+ ipv6 = true;
+ is_whitelist = true;
+ returncodes {
+ RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
+ RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
+ RCVD_IN_DNSWL_MED = "127.0.%d+.2";
+ RCVD_IN_DNSWL_HI = "127.0.%d+.3";
+ DNSWL_BLOCKED = "127.0.0.255";
+ }
+ }
+
+ rambleremails {
+ symbol = RAMBLER_EMAILBL;
+ rbl = "email-bl.rambler.ru";
+ from = false;
+ emails = true;
+ exclude_users = false;
+ exclude_private_ips = false;
+ exclude_local = false;
+ ignore_whitelists = true;
+ }
+
+ }
}
chartable {
threshold = 0.300000;
symbol = "R_MIXED_CHARSET";
}
+
once_received {
good_host = "mail";
bad_host = "static";
phishing {
symbol = "PHISHING";
}
+
#emails {
#}
+
spf {
spf_cache_size = 2k;
spf_cache_expire = 1d;
}
+
dkim {
dkim_cache_size = 2k;
dkim_cache_expire = 1d;
}
ip_score {
-# servers = "localhost";
-# treshold = 100;
-# reject_score = 3;
-# no_action_score = -2;
-# add_header_score = 1;
-# whitelist = "file:///ip_map";
+# servers = "localhost";
+# treshold = 100;
+# reject_score = 3;
+# no_action_score = -2;
+# add_header_score = 1;
+# whitelist = "file:///ip_map";
}
hfilter {
projects / rspamd.git / commitdiff