From 5da8cf87d7c40dc6a73d79f0a526f603852c9c6d Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Sat, 11 Nov 2017 13:52:02 +0000 Subject: [PATCH] [Conf] Massive config rework for new structure of symbols and scores --- conf/actions.conf | 30 ++ conf/common.conf | 2 + conf/groups.conf | 99 +++++ conf/metrics.conf | 605 +--------------------------- conf/scores.d/fuzzy_group.conf | 35 ++ conf/scores.d/headers_group.conf | 61 +++ conf/scores.d/hfilter_group.conf | 131 ++++++ conf/scores.d/mime_types_group.conf | 59 +++ conf/scores.d/mua_group.conf | 24 ++ conf/scores.d/phishing_group.conf | 36 ++ conf/scores.d/policies_group.conf | 104 +++++ conf/scores.d/rbl_group.conf | 132 ++++++ conf/scores.d/statistics_group.conf | 27 ++ conf/scores.d/subject_group.conf | 21 + conf/scores.d/surbl_group.conf | 159 ++++++++ src/plugins/lua/arc.lua | 10 +- 16 files changed, 928 insertions(+), 607 deletions(-) create mode 100644 conf/actions.conf create mode 100644 conf/groups.conf create mode 100644 conf/scores.d/fuzzy_group.conf create mode 100644 conf/scores.d/headers_group.conf create mode 100644 conf/scores.d/hfilter_group.conf create mode 100644 conf/scores.d/mime_types_group.conf create mode 100644 conf/scores.d/mua_group.conf create mode 100644 conf/scores.d/phishing_group.conf create mode 100644 conf/scores.d/policies_group.conf create mode 100644 conf/scores.d/rbl_group.conf create mode 100644 conf/scores.d/statistics_group.conf create mode 100644 conf/scores.d/subject_group.conf create mode 100644 conf/scores.d/surbl_group.conf diff --git a/conf/actions.conf b/conf/actions.conf new file mode 100644 index 000000000..75b0d2f73 --- /dev/null +++ b/conf/actions.conf @@ -0,0 +1,30 @@ +# Actions settings +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +actions { + reject = 15; # Reject when reaching this score + add_header = 6; # Add header when reaching this score + greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`) + + #unknown_weight = 1.0; # Enable if need to set score for all symbols implicitly + # Each new symbol is added multiplied by gf^N, where N is the number of spammy symbols + #grow_factor = 1.1; + # Set rewrite subject to this value (%s is replaced by the original subject) + #subject = "***SPAM*** %s" + + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/actions.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/actions.conf" +} \ No newline at end of file diff --git a/conf/common.conf b/conf/common.conf index ebb52bf78..6a50099f9 100644 --- a/conf/common.conf +++ b/conf/common.conf @@ -17,6 +17,8 @@ lua = "$RULESDIR/rspamd.lua" .include "$CONFDIR/metrics.conf" +.include "$CONFDIR/actions.conf" +.include "$CONFDIR/groups.conf" .include "$CONFDIR/composites.conf" .include "$CONFDIR/statistic.conf" diff --git a/conf/groups.conf b/conf/groups.conf new file mode 100644 index 000000000..f3d966745 --- /dev/null +++ b/conf/groups.conf @@ -0,0 +1,99 @@ +# Symbols groups setup +# Each individual group lives in scores.d/ +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +group "headers" = { + .include "$CONFDIR/scores.d/headers_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/headers_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/headers_group.conf" +} + +group "subject" = { + .include "$CONFDIR/scores.d/subject_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/subject_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/subject_group.conf" +} + +group "mua" = { + .include "$CONFDIR/scores.d/mua_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/mua_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/mua_group.conf" +} + +group "rbl" = { + .include "$CONFDIR/scores.d/rbl_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/rbl_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/rbl_group.conf" +} + +group "statistics" = { + .include "$CONFDIR/scores.d/statistics_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/statistics_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/statistics_group.conf" +} + +group "fuzzy" = { + .include "$CONFDIR/scores.d/fuzzy_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/fuzzy_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/fuzzy_group.conf" +} + +# SPF + DKIM + DMARC + ARC +group "policies" = { + .include "$CONFDIR/scores.d/policies_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/policies_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/policies_group.conf" +} + +group "surbl" = { + .include "$CONFDIR/scores.d/surbl_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/surbl_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/surbl_group.conf" +} + +group "phishing" = { + .include "$CONFDIR/scores.d/phishing_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/phishing_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/phishing_group.conf" +} + +group "hfilter" = { + .include "$CONFDIR/scores.d/hfilter_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/hfilter_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/hfilter_group.conf" +} + +group "mime_types" = { + .include "$CONFDIR/scores.d/mime_types_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/mime_types_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/mime_types_group.conf" +} + +# Used to limit maximium score +group "excessqp" { + max_score = 2.4; + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/excessqp_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/excessqp_group.conf" +} +group "excessb64" { + max_score = 3.0; + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/excessb64_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/excessb64_group.conf" +} + +.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf" +.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf" \ No newline at end of file diff --git a/conf/metrics.conf b/conf/metrics.conf index 6553b86cf..9c4358f30 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -14,610 +14,11 @@ # # See https://rspamd.com/doc/tutorials/writing_rules.html for details +# DEPRECATION WARNING!! +# This file is deprecated since 1.7 +# Please use actions.conf and groups.conf files instead metric { name = "default"; - # If this param is set to non-zero - # then a metric would accept all symbols - # unknown_weight = 1.0 - - actions { - reject = 15; - add_header = 6; - greylist = 4; - } - - group "excessqp" { - max_score = 2.4; - } - group "excessb64" { - max_score = 3.0; - } - group "header" { - symbol "FORGED_SENDER" { - weight = 0.30; - description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; - } - symbol "R_MIXED_CHARSET" { - weight = 5.0; - description = "Mixed characters in a message"; - one_shot = true; - } - symbol "R_MIXED_CHARSET_URL" { - weight = 7.0; - description = "Mixed characters in a URL inside message"; - one_shot = true; - } - symbol "FORGED_RECIPIENTS" { - weight = 2.0; - description = "Recipients are not the same as RCPT TO: mail command"; - } - symbol "FORGED_RECIPIENTS_MAILLIST" { - weight = 0.0; - description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; - } - symbol "FORGED_SENDER_MAILLIST" { - weight = 0.0; - description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; - } - symbol "ONCE_RECEIVED" { - weight = 0.1; - description = "One received header in a message"; - } - symbol "RDNS_NONE" { - weight = 1.0; - description = "Cannot resolve reverse DNS for sender's IP"; - } - symbol "ONCE_RECEIVED_STRICT" { - weight = 4.0; - description = "One received header with 'bad' patterns inside"; - } - symbol "MAILLIST" { - weight = -0.2; - description = "Message seems to be from maillist"; - } - } - - group "subject" { - max_score = 6.0; - } - - group "mua" { - symbol "FORGED_MUA_MAILLIST" { - weight = 0.0; - description = "Avoid false positives for FORGED_MUA_* in maillist"; - } - } - - group "rbl" { - symbol "DNSWL_BLOCKED" { - weight = 0.0; - description = "Resolver blocked due to excessive queries"; - } - symbol "RCVD_IN_DNSWL" { - weight = 0.0; - description = "Unrecognised result from dnswl.org"; - } - symbol "RCVD_IN_DNSWL_NONE" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, low none"; - } - symbol "RCVD_IN_DNSWL_LOW" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, low trust"; - } - symbol "RCVD_IN_DNSWL_MED" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, medium trust"; - } - symbol "RCVD_IN_DNSWL_HI" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, high trust"; - } - - symbol "RBL_SPAMHAUS" { - weight = 0.0; - description = "Unrecognised result from Spamhaus zen"; - } - symbol "RBL_SPAMHAUS_SBL" { - weight = 2.0; - description = "From address is listed in zen sbl"; - } - symbol "RBL_SPAMHAUS_CSS" { - weight = 2.0; - description = "From address is listed in zen css"; - } - symbol "RBL_SPAMHAUS_XBL" { - weight = 4.0; - description = "From address is listed in zen xbl"; - } - symbol "RBL_SPAMHAUS_XBL_ANY" { - weight = 4.0; - description = "From or received address is listed in zen xbl (any list)"; - } - symbol "RBL_SPAMHAUS_PBL" { - weight = 2.0; - description = "From address is listed in zen pbl (ISP list)"; - } - symbol "RBL_SPAMHAUS_DROP" { - weight = 7.0; - description = "From address is listed in zen drop bl"; - } - symbol "RECEIVED_SPAMHAUS_XBL" { - weight = 3.0; - description = "Received address is listed in zen xbl"; - one_shot = true; - } - - symbol "RBL_SENDERSCORE" { - weight = 2.0; - description = "From address is listed in senderscore.com BL"; - } - symbol "RBL_ABUSECH" { - weight = 1.0; - description = "From address is listed in ABUSE.CH BL"; - } - symbol "MAILSPIKE" { - weight = 0.0; - description = "Unrecognised result from Mailspike"; - } - symbol "RWL_MAILSPIKE_NEUTRAL" { - weight = 0.0; - description = "Neutral result from Mailspike"; - } - symbol "RBL_MAILSPIKE_WORST" { - weight = 2.0; - description = "From address is listed in RBL - worst possible reputation"; - } - symbol "RBL_MAILSPIKE_VERYBAD" { - weight = 1.5; - description = "From address is listed in RBL - very bad reputation"; - } - symbol "RBL_MAILSPIKE_BAD" { - weight = 1.0; - description = "From address is listed in RBL - bad reputation"; - } - symbol "RWL_MAILSPIKE_POSSIBLE" { - weight = 0.0; - description = "From address is listed in RWL - possibly legit"; - } - symbol "RWL_MAILSPIKE_GOOD" { - weight = 0.0; - description = "From address is listed in RWL - good reputation"; - } - symbol "RWL_MAILSPIKE_VERYGOOD" { - weight = 0.0; - description = "From address is listed in RWL - very good reputation"; - } - symbol "RWL_MAILSPIKE_EXCELLENT" { - weight = 0.0; - description = "From address is listed in RWL - excellent reputation"; - } - - symbol "RBL_SEM" { - weight = 1.0; - description = "Address is listed in Spameatingmonkey RBL"; - } - - symbol "RBL_SEM_IPV6" { - weight = 1.0; - description = "Address is listed in Spameatingmonkey RBL (ipv6)"; - } - } - - group "bayes" { - symbol "BAYES_SPAM" { - weight = 4.0; - description = "Message probably spam, probability: "; - } - symbol "BAYES_HAM" { - weight = -3.0; - description = "Message probably ham, probability: "; - } - } - - group "fuzzy" { - symbol "FUZZY_UNKNOWN" { - weight = 5.0; - description = "Generic fuzzy hash match"; - } - symbol "FUZZY_DENIED" { - weight = 12.0; - description = "Denied fuzzy hash"; - } - symbol "FUZZY_PROB" { - weight = 5.0; - description = "Probable fuzzy hash"; - } - symbol "FUZZY_WHITE" { - weight = -2.1; - description = "Whitelisted fuzzy hash"; - } - } - - group "spf" { - symbol "R_SPF_FAIL" { - weight = 1.0; - description = "SPF verification failed"; - } - symbol "R_SPF_SOFTFAIL" { - weight = 0.0; - description = "SPF verification soft-failed"; - } - symbol "R_SPF_NEUTRAL" { - weight = 0.0; - description = "SPF policy is neutral"; - } - symbol "R_SPF_ALLOW" { - weight = -0.2; - description = "SPF verification allows sending"; - } - symbol "R_SPF_DNSFAIL" { - weight = 0.0; - description = "SPF DNS failure"; - } - } - - group "dkim" { - symbol "R_DKIM_REJECT" { - weight = 1.0; - description = "DKIM verification failed"; - one_shot = true; - } - symbol "R_DKIM_TEMPFAIL" { - weight = 0.0; - description = "DKIM verification soft-failed"; - } - symbol "R_DKIM_ALLOW" { - weight = -0.2; - description = "DKIM verification succeed"; - one_shot = true; - } - } - - group "surbl" { - max_score = 12.5; - - symbol "SURBL_BLOCKED" { - weight = 0.0; - description = "SURBL: blocked by policy/overusage"; - } - symbol "PH_SURBL_MULTI" { - weight = 5.5; - description = "SURBL: Phishing sites"; - } - symbol "MW_SURBL_MULTI" { - weight = 5.5; - description = "SURBL: Malware sites"; - } - symbol "ABUSE_SURBL" { - weight = 5.5; - description = "SURBL: ABUSE"; - } - symbol "CRACKED_SURBL" { - weight = 4.0; - description = "SURBL: cracked site"; - } - symbol "RAMBLER_URIBL" { - weight = 4.5; - description = "Rambler uribl"; - one_shot = true; - } - - symbol "RAMBLER_EMAILBL" { - weight = 9.5; - description = "Rambler emailbl"; - one_shot = true; - } - - symbol "MSBL_EBL" { - weight = 7.5; - description = "MSBL emailbl"; - one_shot = true; - } - - symbol "SEM_URIBL_UNKNOWN" { - weight = 0.0; - description = "Spameatingmonkey uribl: unknown result"; - } - symbol "SEM_URIBL" { - weight = 3.5; - description = "Spameatingmonkey uribl"; - } - - symbol "SEM_URIBL_FRESH15_UNKNOWN" { - weight = 0.0; - description = "Spameatingmonkey Fresh15 uribl: unknown result"; - } - symbol "SEM_URIBL_FRESH15" { - weight = 3.0; - description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; - } - - symbol "DBL" { - weight = 0.0; - description = "DBL unknown result"; - } - symbol "DBL_SPAM" { - weight = 6.5; - description = "DBL uribl spam"; - } - symbol "DBL_PHISH" { - weight = 6.5; - description = "DBL uribl phishing"; - } - symbol "DBL_MALWARE" { - weight = 6.5; - description = "DBL uribl malware"; - } - symbol "DBL_BOTNET" { - weight = 5.5; - description = "DBL uribl botnet C&C domain"; - } - symbol "DBL_ABUSE" { - weight = 6.5; - description = "DBL uribl abused legit spam"; - } - symbol "DBL_ABUSE_REDIR" { - weight = 1.5; - description = "DBL uribl abused spammed redirector domain"; - } - symbol "DBL_ABUSE_PHISH" { - weight = 7.5; - description = "DBL uribl abused legit phish"; - } - symbol "DBL_ABUSE_MALWARE" { - weight = 7.5; - description = "DBL uribl abused legit malware"; - } - symbol "DBL_ABUSE_BOTNET" { - weight = 5.5; - description = "DBL uribl abused legit botnet C&C"; - } - symbol "DBL_PROHIBIT" { - weight = 0.00000; - description = "DBL uribl IP queries prohibited!"; - } - symbol "URIBL_MULTI" { - weight = 0.0; - description = "uribl.com: unrecognised result"; - } - symbol "URIBL_BLOCKED" { - weight = 0.0; - description = "uribl.com: query refused"; - } - symbol "URIBL_BLACK" { - weight = 7.5; - description = "uribl.com black url"; - } - symbol "URIBL_RED" { - weight = 3.5; - description = "uribl.com red url"; - } - symbol "URIBL_GREY" { - weight = 1.5; - description = "uribl.com grey url"; - one_shot = true; - } - symbol "SBL_URIBL" { - weight = 0.0; - description = "SBL URIBL: Filtered result"; - } - symbol "URIBL_SBL" { - weight = 6.5; - description = "Spamhaus SBL URIBL"; - } - symbol "URIBL_SBL_CSS" { - weight = 6.5; - description = "Spamhaus SBL CSS URIBL"; - } - symbol "RBL_SARBL_BAD" { - weight = 2.5; - description = "A domain listed in the mail is blacklisted in SARBL"; - } - } - - group "phishing" { - symbol "PHISHING" { - weight = 4.0; - description = "Phished URL"; - one_shot = true; - } - symbol "PHISHED_OPENPHISH" { - weight = 7.0; - description = "Phished URL found in openphish.com"; - } - symbol "PHISHED_PHISHTANK" { - weight = 7.0; - description = "Phished URL found in phishtank.com"; - } - symbol HACKED_WP_PHISHING { - weight = 4.5; - description = "Phishing message from hacked wordpress"; - } - } - - group "hfilter" { - symbol "HFILTER_HELO_BAREIP" { - weight = 3.00; - description = "Helo host is bare ip"; - } - symbol "HFILTER_HELO_BADIP" { - weight = 4.50; - description = "Helo host is very bad ip"; - } - symbol "HFILTER_HELO_1" { - weight = 0.5; - description = "Helo host checks (very low)"; - } - symbol "HFILTER_HELO_2" { - weight = 1.00; - description = "Helo host checks (low)"; - } - symbol "HFILTER_HELO_3" { - weight = 2.00; - description = "Helo host checks (medium)"; - } - symbol "HFILTER_HELO_4" { - weight = 2.50; - description = "Helo host checks (hard)"; - } - symbol "HFILTER_HELO_5" { - weight = 3.00; - description = "Helo host checks (very hard)"; - } - symbol "HFILTER_HOSTNAME_1" { - weight = 0.5; - description = "Hostname checks (very low)"; - } - symbol "HFILTER_HOSTNAME_2" { - weight = 1.00; - description = "Hostname checks (low)"; - } - symbol "HFILTER_HOSTNAME_3" { - weight = 2.00; - description = "Hostname checks (medium)"; - } - symbol "HFILTER_HOSTNAME_4" { - weight = 2.50; - description = "Hostname checks (hard)"; - } - symbol "HFILTER_HOSTNAME_5" { - weight = 3.00; - description = "Hostname checks (very hard)"; - } - symbol "HFILTER_HELO_NORESOLVE_MX" { - weight = 0.20; - description = "MX found in Helo and no resolve"; - } - symbol "HFILTER_HELO_NORES_A_OR_MX" { - weight = 0.3; - description = "Helo no resolve to A or MX"; - } - symbol "HFILTER_HELO_IP_A" { - weight = 1.00; - description = "Helo A IP != hostname IP"; - } - symbol "HFILTER_HELO_NOT_FQDN" { - weight = 2.00; - description = "Helo not FQDN"; - } - symbol "HFILTER_FROMHOST_NORESOLVE_MX" { - weight = 0.5; - description = "MX found in FROM host and no resolve"; - } - symbol "HFILTER_FROMHOST_NORES_A_OR_MX" { - weight = 1.50; - description = "FROM host no resolve to A or MX"; - } - symbol "HFILTER_FROMHOST_NOT_FQDN" { - weight = 3.00; - description = "FROM host not FQDN"; - } - symbol "HFILTER_FROM_BOUNCE" { - weight = 0.00; - description = "Bounce message"; - } - /* - symbol { - weight = 0.50; - name = "HFILTER_MID_NORESOLVE_MX"; - description = "MX found in Message-id host and no resolve"; - } - symbol { - weight = 0.50; - name = "HFILTER_MID_NORES_A_OR_MX"; - description = "Message-id host no resolve to A or MX"; - } - symbol { - weight = 0.50; - name = "HFILTER_MID_NOT_FQDN"; - description = "Message-id host not FQDN"; - } - */ - symbol "HFILTER_HOSTNAME_UNKNOWN" { - weight = 2.50; - description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; - } - symbol "HFILTER_RCPT_BOUNCEMOREONE" { - weight = 1.50; - description = "Message from bounce and over 1 recipient"; - } - symbol "HFILTER_URL_ONLY" { - weight = 2.20; - description = "URL only in body"; - } - symbol "HFILTER_URL_ONELINE" { - weight = 2.50; - description = "One line URL and text in body"; - } - } - - group "dmarc" { - - symbol "DMARC_POLICY_ALLOW" { - weight = -0.5; - description = "DMARC permit policy"; - } - symbol "DMARC_POLICY_ALLOW_WITH_FAILURES" { - weight = -0.5; - description = "DMARC permit policy with DKIM/SPF failure"; - } - symbol "DMARC_POLICY_REJECT" { - weight = 2.0; - description = "DMARC reject policy"; - } - symbol "DMARC_POLICY_QUARANTINE" { - weight = 1.5; - description = "DMARC quarantine policy"; - } - symbol "DMARC_POLICY_SOFTFAIL" { - weight = 0.1; - description = "DMARC failed"; - } - } - group "mime_types" { - symbol "MIME_GOOD" { - weight = -0.1; - description = "Known content-type"; - one_shot = true; - } - symbol "MIME_BAD" { - weight = 1.0; - description = "Known bad content-type"; - one_shot = true; - } - symbol "MIME_UNKNOWN" { - weight = 0.1; - description = "Missing or unknown content-type"; - one_shot = true; - } - symbol "MIME_BAD_ATTACHMENT" { - weight = 4.0; - description = "Invalid attachment mime type"; - one_shot = true; - } - symbol "MIME_ENCRYPTED_ARCHIVE" { - weight = 2.0; - description = "Encrypted archive in a message"; - one_shot = true; - } - symbol "MIME_ARCHIVE_IN_ARCHIVE" { - weight = 5.0; - description = "Archive within another archive"; - one_shot = true; - } - symbol "MIME_DOUBLE_BAD_EXTENSION" { - weight = 3.0; # This rule has dynamic weight up to 4.0 - description = "Bad extension cloaking"; - one_shot = true; - } - symbol "MIME_BAD_EXTENSION" { - weight = 2.0; # This rule has dynamic weight up to 4.0 - description = "Bad extension"; - one_shot = true; - } - } - .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" } diff --git a/conf/scores.d/fuzzy_group.conf b/conf/scores.d/fuzzy_group.conf new file mode 100644 index 000000000..ecce1b495 --- /dev/null +++ b/conf/scores.d/fuzzy_group.conf @@ -0,0 +1,35 @@ +# Fuzzy rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "FUZZY_UNKNOWN" { + weight = 5.0; + description = "Generic fuzzy hash match"; + } + "FUZZY_DENIED" { + weight = 12.0; + description = "Denied fuzzy hash"; + } + "FUZZY_PROB" { + weight = 5.0; + description = "Probable fuzzy hash"; + } + "FUZZY_WHITE" { + weight = -2.1; + description = "Whitelisted fuzzy hash"; + } +} \ No newline at end of file diff --git a/conf/scores.d/headers_group.conf b/conf/scores.d/headers_group.conf new file mode 100644 index 000000000..ac3134e36 --- /dev/null +++ b/conf/scores.d/headers_group.conf @@ -0,0 +1,61 @@ +# Headers rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "FORGED_SENDER" { + weight = 0.30; + description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; + } + "R_MIXED_CHARSET" { + weight = 5.0; + description = "Mixed characters in a message"; + one_shot = true; + } + "R_MIXED_CHARSET_URL" { + weight = 7.0; + description = "Mixed characters in a URL inside message"; + one_shot = true; + } + "FORGED_RECIPIENTS" { + weight = 2.0; + description = "Recipients are not the same as RCPT TO: mail command"; + } + "FORGED_RECIPIENTS_MAILLIST" { + weight = 0.0; + description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; + } + "FORGED_SENDER_MAILLIST" { + weight = 0.0; + description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; + } + "ONCE_RECEIVED" { + weight = 0.1; + description = "One received header in a message"; + } + "RDNS_NONE" { + weight = 1.0; + description = "Cannot resolve reverse DNS for sender's IP"; + } + "ONCE_RECEIVED_STRICT" { + weight = 4.0; + description = "One received header with 'bad' patterns inside"; + } + "MAILLIST" { + weight = -0.2; + description = "Message seems to be from maillist"; + } +} \ No newline at end of file diff --git a/conf/scores.d/hfilter_group.conf b/conf/scores.d/hfilter_group.conf new file mode 100644 index 000000000..6b6f31031 --- /dev/null +++ b/conf/scores.d/hfilter_group.conf @@ -0,0 +1,131 @@ +# Host and connection rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "HFILTER_HELO_BAREIP" { + weight = 3.00; + description = "Helo host is bare ip"; + } + "HFILTER_HELO_BADIP" { + weight = 4.50; + description = "Helo host is very bad ip"; + } + "HFILTER_HELO_1" { + weight = 0.5; + description = "Helo host checks (very low)"; + } + "HFILTER_HELO_2" { + weight = 1.00; + description = "Helo host checks (low)"; + } + "HFILTER_HELO_3" { + weight = 2.00; + description = "Helo host checks (medium)"; + } + "HFILTER_HELO_4" { + weight = 2.50; + description = "Helo host checks (hard)"; + } + "HFILTER_HELO_5" { + weight = 3.00; + description = "Helo host checks (very hard)"; + } + "HFILTER_HOSTNAME_1" { + weight = 0.5; + description = "Hostname checks (very low)"; + } + "HFILTER_HOSTNAME_2" { + weight = 1.00; + description = "Hostname checks (low)"; + } + "HFILTER_HOSTNAME_3" { + weight = 2.00; + description = "Hostname checks (medium)"; + } + "HFILTER_HOSTNAME_4" { + weight = 2.50; + description = "Hostname checks (hard)"; + } + "HFILTER_HOSTNAME_5" { + weight = 3.00; + description = "Hostname checks (very hard)"; + } + "HFILTER_HELO_NORESOLVE_MX" { + weight = 0.20; + description = "MX found in Helo and no resolve"; + } + "HFILTER_HELO_NORES_A_OR_MX" { + weight = 0.3; + description = "Helo no resolve to A or MX"; + } + "HFILTER_HELO_IP_A" { + weight = 1.00; + description = "Helo A IP != hostname IP"; + } + "HFILTER_HELO_NOT_FQDN" { + weight = 2.00; + description = "Helo not FQDN"; + } + "HFILTER_FROMHOST_NORESOLVE_MX" { + weight = 0.5; + description = "MX found in FROM host and no resolve"; + } + "HFILTER_FROMHOST_NORES_A_OR_MX" { + weight = 1.50; + description = "FROM host no resolve to A or MX"; + } + "HFILTER_FROMHOST_NOT_FQDN" { + weight = 3.00; + description = "FROM host not FQDN"; + } + "HFILTER_FROM_BOUNCE" { + weight = 0.00; + description = "Bounce message"; + } +/* + # Disabled by default + "HFILTER_MID_NORESOLVE_MX" { + weight = 0.50; + description = "MX found in Message-id host and no resolve"; + } + "HFILTER_MID_NORES_A_OR_MX" { + weight = 0.50; + name = ; + description = "Message-id host no resolve to A or MX"; + } + "HFILTER_MID_NOT_FQDN" { + weight = 0.50; + description = "Message-id host not FQDN"; + } +*/ + "HFILTER_HOSTNAME_UNKNOWN" { + weight = 2.50; + description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; + } + "HFILTER_RCPT_BOUNCEMOREONE" { + weight = 1.50; + description = "Message from bounce and over 1 recipient"; + } + "HFILTER_URL_ONLY" { + weight = 2.20; + description = "URL only in body"; + } + "HFILTER_URL_ONELINE" { + weight = 2.50; + description = "One line URL and text in body"; + } +} \ No newline at end of file diff --git a/conf/scores.d/mime_types_group.conf b/conf/scores.d/mime_types_group.conf new file mode 100644 index 000000000..10cb1ba93 --- /dev/null +++ b/conf/scores.d/mime_types_group.conf @@ -0,0 +1,59 @@ +# Mime types rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "MIME_GOOD" { + weight = -0.1; + description = "Known content-type"; + one_shot = true; + } + "MIME_BAD" { + weight = 1.0; + description = "Known bad content-type"; + one_shot = true; + } + "MIME_UNKNOWN" { + weight = 0.1; + description = "Missing or unknown content-type"; + one_shot = true; + } + "MIME_BAD_ATTACHMENT" { + weight = 4.0; + description = "Invalid attachment mime type"; + one_shot = true; + } + "MIME_ENCRYPTED_ARCHIVE" { + weight = 2.0; + description = "Encrypted archive in a message"; + one_shot = true; + } + "MIME_ARCHIVE_IN_ARCHIVE" { + weight = 5.0; + description = "Archive within another archive"; + one_shot = true; + } + "MIME_DOUBLE_BAD_EXTENSION" { + weight = 3.0; # This rule has dynamic weight up to 4.0 + description = "Bad extension cloaking"; + one_shot = true; + } + "MIME_BAD_EXTENSION" { + weight = 2.0; # This rule has dynamic weight up to 4.0 + description = "Bad extension"; + one_shot = true; + } +} \ No newline at end of file diff --git a/conf/scores.d/mua_group.conf b/conf/scores.d/mua_group.conf new file mode 100644 index 000000000..b912a854a --- /dev/null +++ b/conf/scores.d/mua_group.conf @@ -0,0 +1,24 @@ +# MUA rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + + +symbols = { + "FORGED_MUA_MAILLIST" { + weight = 0.0; + description = "Avoid false positives for FORGED_MUA_* in maillist"; + } +} \ No newline at end of file diff --git a/conf/scores.d/phishing_group.conf b/conf/scores.d/phishing_group.conf new file mode 100644 index 000000000..d5a4ee098 --- /dev/null +++ b/conf/scores.d/phishing_group.conf @@ -0,0 +1,36 @@ +# Phishing rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "PHISHING" { + weight = 4.0; + description = "Phished URL"; + one_shot = true; + } + "PHISHED_OPENPHISH" { + weight = 7.0; + description = "Phished URL found in openphish.com"; + } + "PHISHED_PHISHTANK" { + weight = 7.0; + description = "Phished URL found in phishtank.com"; + } + HACKED_WP_PHISHING { + weight = 4.5; + description = "Phishing message from hacked wordpress"; + } +} \ No newline at end of file diff --git a/conf/scores.d/policies_group.conf b/conf/scores.d/policies_group.conf new file mode 100644 index 000000000..9885a5efa --- /dev/null +++ b/conf/scores.d/policies_group.conf @@ -0,0 +1,104 @@ +# Policies rules scores, includes SPF, DKIM, DMARC and ARC symbols +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + # SPF + "R_SPF_FAIL" { + weight = 1.0; + description = "SPF verification failed"; + } + "R_SPF_SOFTFAIL" { + weight = 0.0; + description = "SPF verification soft-failed"; + } + "R_SPF_NEUTRAL" { + weight = 0.0; + description = "SPF policy is neutral"; + } + "R_SPF_ALLOW" { + weight = -0.2; + description = "SPF verification allows sending"; + } + "R_SPF_DNSFAIL" { + weight = 0.0; + description = "SPF DNS failure"; + } + + # DKIM + "R_DKIM_REJECT" { + weight = 1.0; + description = "DKIM verification failed"; + one_shot = true; + } + "R_DKIM_TEMPFAIL" { + weight = 0.0; + description = "DKIM verification soft-failed"; + } + "R_DKIM_ALLOW" { + weight = -0.2; + description = "DKIM verification succeed"; + one_shot = true; + } + + # DMARC + "DMARC_POLICY_ALLOW" { + weight = -0.5; + description = "DMARC permit policy"; + } + "DMARC_POLICY_ALLOW_WITH_FAILURES" { + weight = -0.5; + description = "DMARC permit policy with DKIM/SPF failure"; + } + "DMARC_POLICY_REJECT" { + weight = 2.0; + description = "DMARC reject policy"; + } + "DMARC_POLICY_QUARANTINE" { + weight = 1.5; + description = "DMARC quarantine policy"; + } + "DMARC_POLICY_SOFTFAIL" { + weight = 0.1; + description = "DMARC failed"; + } + + # ARC + "ARC_ALLOW" { + weight = -1.0; + description = "ARC checks success" + } + + "ARC_REJECT" { + weight = 2.0; + description = "ARC checks success" + } + + "ARC_INVALID" { + weight = 1.0; + description = "ARC structure invalid" + } + + "ARC_DNSFAIL" { + weight = 0.0; + description = "ARC DNS error" + } + + "ARC_NA" { + weight = 0.0; + description = "ARC signature absent" + } +} \ No newline at end of file diff --git a/conf/scores.d/rbl_group.conf b/conf/scores.d/rbl_group.conf new file mode 100644 index 000000000..8703afd3d --- /dev/null +++ b/conf/scores.d/rbl_group.conf @@ -0,0 +1,132 @@ +# RBL rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "DNSWL_BLOCKED" { + weight = 0.0; + description = "Resolver blocked due to excessive queries"; + } + "RCVD_IN_DNSWL" { + weight = 0.0; + description = "Unrecognised result from dnswl.org"; + } + "RCVD_IN_DNSWL_NONE" { + weight = 0.0; + description = "Sender listed at http://www.dnswl.org, low none"; + } + "RCVD_IN_DNSWL_LOW" { + weight = 0.0; + description = "Sender listed at http://www.dnswl.org, low trust"; + } + "RCVD_IN_DNSWL_MED" { + weight = 0.0; + description = "Sender listed at http://www.dnswl.org, medium trust"; + } + "RCVD_IN_DNSWL_HI" { + weight = 0.0; + description = "Sender listed at http://www.dnswl.org, high trust"; + } + + "RBL_SPAMHAUS" { + weight = 0.0; + description = "Unrecognised result from Spamhaus zen"; + } + "RBL_SPAMHAUS_SBL" { + weight = 2.0; + description = "From address is listed in zen sbl"; + } + "RBL_SPAMHAUS_CSS" { + weight = 2.0; + description = "From address is listed in zen css"; + } + "RBL_SPAMHAUS_XBL" { + weight = 4.0; + description = "From address is listed in zen xbl"; + } + "RBL_SPAMHAUS_XBL_ANY" { + weight = 4.0; + description = "From or received address is listed in zen xbl (any list)"; + } + "RBL_SPAMHAUS_PBL" { + weight = 2.0; + description = "From address is listed in zen pbl (ISP list)"; + } + "RBL_SPAMHAUS_DROP" { + weight = 7.0; + description = "From address is listed in zen drop bl"; + } + "RECEIVED_SPAMHAUS_XBL" { + weight = 3.0; + description = "Received address is listed in zen xbl"; + one_shot = true; + } + + "RBL_SENDERSCORE" { + weight = 2.0; + description = "From address is listed in senderscore.com BL"; + } + "RBL_ABUSECH" { + weight = 1.0; + description = "From address is listed in ABUSE.CH BL"; + } + "MAILSPIKE" { + weight = 0.0; + description = "Unrecognised result from Mailspike"; + } + "RWL_MAILSPIKE_NEUTRAL" { + weight = 0.0; + description = "Neutral result from Mailspike"; + } + "RBL_MAILSPIKE_WORST" { + weight = 2.0; + description = "From address is listed in RBL - worst possible reputation"; + } + "RBL_MAILSPIKE_VERYBAD" { + weight = 1.5; + description = "From address is listed in RBL - very bad reputation"; + } + "RBL_MAILSPIKE_BAD" { + weight = 1.0; + description = "From address is listed in RBL - bad reputation"; + } + "RWL_MAILSPIKE_POSSIBLE" { + weight = 0.0; + description = "From address is listed in RWL - possibly legit"; + } + "RWL_MAILSPIKE_GOOD" { + weight = 0.0; + description = "From address is listed in RWL - good reputation"; + } + "RWL_MAILSPIKE_VERYGOOD" { + weight = 0.0; + description = "From address is listed in RWL - very good reputation"; + } + "RWL_MAILSPIKE_EXCELLENT" { + weight = 0.0; + description = "From address is listed in RWL - excellent reputation"; + } + + "RBL_SEM" { + weight = 1.0; + description = "Address is listed in Spameatingmonkey RBL"; + } + + "RBL_SEM_IPV6" { + weight = 1.0; + description = "Address is listed in Spameatingmonkey RBL (ipv6)"; + } +} \ No newline at end of file diff --git a/conf/scores.d/statistics_group.conf b/conf/scores.d/statistics_group.conf new file mode 100644 index 000000000..0d257d4bd --- /dev/null +++ b/conf/scores.d/statistics_group.conf @@ -0,0 +1,27 @@ +# Bayes and statistics rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { + "BAYES_SPAM" { + weight = 4.0; + description = "Message probably spam, probability: "; + } + "BAYES_HAM" { + weight = -3.0; + description = "Message probably ham, probability: "; + } +} \ No newline at end of file diff --git a/conf/scores.d/subject_group.conf b/conf/scores.d/subject_group.conf new file mode 100644 index 000000000..d151e0401 --- /dev/null +++ b/conf/scores.d/subject_group.conf @@ -0,0 +1,21 @@ +# Subject rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + +symbols = { +} + +max_score = 6.0; \ No newline at end of file diff --git a/conf/scores.d/surbl_group.conf b/conf/scores.d/surbl_group.conf new file mode 100644 index 000000000..6f5ba4302 --- /dev/null +++ b/conf/scores.d/surbl_group.conf @@ -0,0 +1,159 @@ +# URIBL rules scores +# +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine +# parameters defined on the top level +# +# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add +# parameters defined on the top level +# +# For specific modules or configuration you can also modify +# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults +# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults +# +# See https://rspamd.com/doc/tutorials/writing_rules.html for details + + +max_score = 12.5; + +symbols = { + "SURBL_BLOCKED" { + weight = 0.0; + description = "SURBL: blocked by policy/overusage"; + } + "PH_SURBL_MULTI" { + weight = 5.5; + description = "SURBL: Phishing sites"; + } + "MW_SURBL_MULTI" { + weight = 5.5; + description = "SURBL: Malware sites"; + } + "ABUSE_SURBL" { + weight = 5.5; + description = "SURBL: ABUSE"; + } + "CRACKED_SURBL" { + weight = 4.0; + description = "SURBL: cracked site"; + } + "RAMBLER_URIBL" { + weight = 4.5; + description = "Rambler uribl"; + one_shot = true; + } + + "RAMBLER_EMAILBL" { + weight = 9.5; + description = "Rambler emailbl"; + one_shot = true; + } + + "MSBL_EBL" { + weight = 7.5; + description = "MSBL emailbl"; + one_shot = true; + } + + "SEM_URIBL_UNKNOWN" { + weight = 0.0; + description = "Spameatingmonkey uribl: unknown result"; + } + "SEM_URIBL" { + weight = 3.5; + description = "Spameatingmonkey uribl"; + } + + "SEM_URIBL_FRESH15_UNKNOWN" { + weight = 0.0; + description = "Spameatingmonkey Fresh15 uribl: unknown result"; + } + "SEM_URIBL_FRESH15" { + weight = 3.0; + description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; + } + + "DBL" { + weight = 0.0; + description = "DBL unknown result"; + } + "DBL_SPAM" { + weight = 6.5; + description = "DBL uribl spam"; + } + "DBL_PHISH" { + weight = 6.5; + description = "DBL uribl phishing"; + } + "DBL_MALWARE" { + weight = 6.5; + description = "DBL uribl malware"; + } + "DBL_BOTNET" { + weight = 5.5; + description = "DBL uribl botnet C&C domain"; + } + "DBL_ABUSE" { + weight = 6.5; + description = "DBL uribl abused legit spam"; + } + "DBL_ABUSE_REDIR" { + weight = 1.5; + description = "DBL uribl abused spammed redirector domain"; + } + "DBL_ABUSE_PHISH" { + weight = 7.5; + description = "DBL uribl abused legit phish"; + } + "DBL_ABUSE_MALWARE" { + weight = 7.5; + description = "DBL uribl abused legit malware"; + } + "DBL_ABUSE_BOTNET" { + weight = 5.5; + description = "DBL uribl abused legit botnet C&C"; + } + "DBL_PROHIBIT" { + weight = 0.00000; + description = "DBL uribl IP queries prohibited!"; + } + "URIBL_MULTI" { + weight = 0.0; + description = "uribl.com: unrecognised result"; + } + "URIBL_BLOCKED" { + weight = 0.0; + description = "uribl.com: query refused"; + } + "URIBL_BLACK" { + weight = 7.5; + description = "uribl.com black url"; + } + "URIBL_RED" { + weight = 3.5; + description = "uribl.com red url"; + } + "URIBL_GREY" { + weight = 1.5; + description = "uribl.com grey url"; + one_shot = true; + } + "SBL_URIBL" { + weight = 0.0; + description = "SBL URIBL: Filtered result"; + } + "URIBL_SBL" { + weight = 6.5; + description = "Spamhaus SBL URIBL"; + } + "URIBL_SBL_CSS" { + weight = 6.5; + description = "Spamhaus SBL CSS URIBL"; + } + "RBL_SARBL_BAD" { + weight = 2.5; + description = "A domain listed in the mail is blacklisted in SARBL"; + } +} \ No newline at end of file diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 53765917e..fc101b0f7 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -320,35 +320,35 @@ rspamd_config:register_symbol({ parent = id, type = 'virtual', score = -1.0, - group = 'arc', + group = 'policies', }) rspamd_config:register_symbol({ name = arc_symbols['reject'], parent = id, type = 'virtual', score = 2.0, - group = 'arc', + group = 'policies', }) rspamd_config:register_symbol({ name = arc_symbols['invalid'], parent = id, type = 'virtual', score = 1.0, - group = 'arc', + group = 'policies', }) rspamd_config:register_symbol({ name = arc_symbols['dnsfail'], parent = id, type = 'virtual', score = 0.0, - group = 'arc', + group = 'policies', }) rspamd_config:register_symbol({ name = arc_symbols['na'], parent = id, type = 'virtual', score = 0.0, - group = 'arc', + group = 'policies', }) rspamd_config:register_dependency(id, symbols['spf_allow_symbol']) -- 2.39.5