From 90df2efa3cffccbeac2b85623afef1b1cca91518 Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Wed, 6 May 2015 14:10:20 +0200 Subject: [PATCH] Config tidying --- conf/common.conf | 2 +- conf/metrics.conf | 1967 +++++++++++++++++++++++++-------------------- conf/modules.conf | 349 ++++---- 3 files changed, 1283 insertions(+), 1035 deletions(-) diff --git a/conf/common.conf b/conf/common.conf index 7155eddfc..a298ac1d7 100644 --- a/conf/common.conf +++ b/conf/common.conf @@ -14,5 +14,5 @@ lua = "$CONFDIR/lua/rspamd.lua" .include(try=true,priority=10) "$CONFDIR/rspamd.conf.local.override" modules { - path = "$PLUGINSDIR/lua/" + path = "$PLUGINSDIR/lua/" } diff --git a/conf/metrics.conf b/conf/metrics.conf index 49f179e9f..e439ba99f 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -2,888 +2,1117 @@ metric { name = "default"; - # If this param is set to non-zero + # If this param is set to non-zero # then a metric would accept all symbols # unknown_weight = 1.0 - actions { - reject = 15; - add_header = 6; - greylist = 4; - }; - - group { - name = "header"; - symbol { - weight = 2.0; - description = "Subject is missing inside message"; - name = "MISSING_SUBJECT"; - } - symbol { - weight = 2.100000; - description = "Message pretends to be send from Outlook but has 'strange' tags "; - name = "FORGED_OUTLOOK_TAGS"; - } - symbol { - weight = 0.30; - description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; - name = "FORGED_SENDER"; - } - symbol { - weight = 3.500000; - description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; - name = "SUSPICIOUS_RECIPS"; - } - symbol { - weight = 6.0; - description = "Fake reply (has RE in subject, but has not References header)"; - name = "FAKE_REPLY_C"; - } - symbol { - weight = 1.0; - description = "Messages that have only HTML part"; - name = "MIME_HTML_ONLY"; - } - symbol { - weight = 2.0; - description = "Forged yahoo msgid"; - name = "FORGED_MSGID_YAHOO"; - } - symbol { - weight = 2.0; - description = "Forged The Bat! MUA headers"; - name = "FORGED_MUA_THEBAT_BOUN"; - } - symbol { - weight = 5.0; - description = "Charset is missing in a message"; - name = "R_MISSING_CHARSET"; - } - symbol { - weight = 2.0; - description = "Two received headers with ip addresses"; - name = "RCVD_DOUBLE_IP_SPAM"; - } - symbol { - weight = 5.0; - description = "Forged outlook HTML signature"; - name = "FORGED_OUTLOOK_HTML"; - } - symbol { - weight = 5.0; - description = "Recipients are absent or undisclosed"; - name = "R_UNDISC_RCPT"; - } - symbol { - weight = 2.0; - description = "Fake helo for verizon provider"; - name = "FM_FAKE_HELO_VERIZON"; - } - symbol { - weight = 2.0; - description = "Quoted reply-to from yahoo (seems to be forged)"; - name = "REPTO_QUOTE_YAHOO"; - } - symbol { - weight = 5.0; - description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; - name = "MISSING_MIMEOLE"; - } - symbol { - weight = 2.0; - description = "To header is missing"; - name = "MISSING_TO"; - } - symbol { - weight = 1.500000; - description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "FROM_EXCESS_BASE64"; - } - symbol { - weight = 1.200000; - description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "FROM_EXCESS_QP"; - } - symbol { - weight = 1.500000; - description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "TO_EXCESS_BASE64"; - } - symbol { - weight = 1.200000; - description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "TO_EXCESS_QP"; - } - symbol { - weight = 1.500000; - description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "REPLYTO_EXCESS_BASE64"; - } - symbol { - weight = 1.200000; - description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "REPLYTO_EXCESS_QP"; - } - symbol { - weight = 1.500000; - description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "CC_EXCESS_BASE64"; - } - symbol { - weight = 1.200000; - description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "CC_EXCESS_QP"; - } - symbol { - weight = 5.0; - description = "Mixed characters in a message"; - name = "R_MIXED_CHARSET"; - } - symbol { - weight = 3.500000; - description = "Recipients list seems to be sorted"; - name = "SORTED_RECIPS"; - } - symbol { - weight = 3.0; - description = "Spambots signatures in received headers"; - name = "R_RCVD_SPAMBOTS"; - } - symbol { - weight = 2.0; - description = "To header seems to be autogenerated"; - name = "R_TO_SEEMS_AUTO"; - } - symbol { - weight = 1.0; - description = "Subject needs encoding"; - name = "SUBJECT_NEEDS_ENCODING"; - } - symbol { - weight = 3.840000; - description = "Spam string at the end of message to make statistics faults 0"; - name = "TRACKER_ID"; - } - symbol { - weight = 1.0; - description = "No space in from header"; - name = "R_NO_SPACE_IN_FROM"; - } - symbol { - weight = 8.0; - description = "Subject seems to be spam"; - name = "R_SAJDING"; - } - symbol { - weight = 3.0; - description = "Detects bad content-transfer-encoding for text parts"; - name = "R_BAD_CTE_7BIT"; - } - symbol { - weight = 10.0; - description = "Flash redirect on imageshack.us"; - name = "R_FLASH_REDIR_IMGSHACK"; - } - symbol { - weight = 5.0; - description = "Message id is incorrect"; - name = "INVALID_MSGID"; - } - symbol { - weight = 3.0; - description = "Message id is missing "; - name = "MISSING_MID"; - } - symbol { - weight = 1.0; - description = "Recipients are not the same as RCPT TO: mail command"; - name = "FORGED_RECIPIENTS"; - } - symbol { - weight = 0.0; - description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; - name = "FORGED_RECIPIENTS_MAILLIST"; - } - symbol { - weight = 0.0; - description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; - name = "FORGED_SENDER_MAILLIST"; - } - symbol { - weight = 2.0; - description = "Forged Exchange messages "; - name = "RATWARE_MS_HASH"; - } - symbol { - weight = 1.0; - description = "Reply-type in content-type"; - name = "STOX_REPLY_TYPE"; - } - symbol { - weight = 1.0; - description = "One received header in a message "; - name = "ONCE_RECEIVED"; - } - symbol { - weight = 4.0; - description = "One received header with 'bad' patterns inside"; - name = "ONCE_RECEIVED_STRICT"; - } - symbol { - weight = 2.0; - description = "Only Content-Type header without other MIME headers"; - name = "MIME_HEADER_CTYPE_ONLY"; - } - symbol { - weight = -1.0; - description = "Message seems to be from maillist"; - name = "MAILLIST"; - } - symbol { - weight = 1.0; - description = "Header From begins with tab"; - name = "HEADER_FROM_DELIMITER_TAB"; - } - symbol { - weight = 1.0; - description = "Header To begins with tab"; - name = "HEADER_TO_DELIMITER_TAB"; - } - symbol { - weight = 1.0; - description = "Header Cc begins with tab"; - name = "HEADER_CC_DELIMITER_TAB"; - } - symbol { - weight = 1.0; - description = "Header Reply-To begins with tab"; - name = "HEADER_REPLYTO_DELIMITER_TAB"; - } - symbol { - weight = 1.0; - description = "Header Date begins with tab"; - name = "HEADER_DATE_DELIMITER_TAB"; - } - symbol { - weight = 1.0; - description = "Header From has no delimiter between header name and header value"; - name = "HEADER_FROM_EMPTY_DELIMITER"; - } - symbol { - weight = 1.0; - description = "Header To has no delimiter between header name and header value"; - name = "HEADER_TO_EMPTY_DELIMITER"; - } - symbol { - weight = 1.0; - description = "Header Cc has no delimiter between header name and header value"; - name = "HEADER_CC_EMPTY_DELIMITER"; - } - symbol { - weight = 1.0; - description = "Header Reply-To has no delimiter between header name and header value"; - name = "HEADER_REPLYTO_EMPTY_DELIMITER"; - } - symbol { - weight = 1.0; - description = "Header Date has no delimiter between header name and header value"; - name = "HEADER_DATE_EMPTY_DELIMITER"; - } - symbol { - weight = 4.0; - description = "Header Received has raw illegal character"; - name = "RCVD_ILLEGAL_CHARS"; - } - symbol { - weight = 4.0; - description = "Fake helo mail.ru in header Received from non mail.ru sender address"; - name = "FAKE_RECEIVED_mail_ru"; - } - symbol { - weight = 4.0; - description = "Fake smtp.yandex.ru Received"; - name = "FAKE_RECEIVED_smtp_yandex_ru"; - } - symbol { - weight = 3.600000; - description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED"; - } - symbol { - weight = 3.600000; - description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED2"; - } - symbol { - weight = 3.600000; - description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED3"; - } - symbol { - weight = 3.600000; - description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED4"; - } - symbol { - weight = 4.600000; - description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED5"; - } - symbol { - weight = 3.0; - description = "Invalid Postfix Received"; - name = "INVALID_POSTFIX_RECEIVED"; - } - symbol { - weight = 5.0; - description = "Invalid Exim Received"; - name = "INVALID_EXIM_RECEIVED"; - } - symbol { - weight = 3.0; - description = "Invalid Exim Received"; - name = "INVALID_EXIM_RECEIVED2"; - } + actions { + reject = 15; + add_header = 6; + greylist = 4; + }; + + group { + name = "header"; + symbol { + weight = 2.0; + description = "Subject is missing inside message"; + name = "MISSING_SUBJECT"; + } + symbol { + weight = 2.100000; + description = "Message pretends to be send from Outlook but has 'strange' tags "; + name = "FORGED_OUTLOOK_TAGS"; + } + symbol { + weight = 0.30; + description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; + name = "FORGED_SENDER"; + } + symbol { + weight = 3.500000; + description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; + name = "SUSPICIOUS_RECIPS"; + } + symbol { + weight = 6.0; + description = "Fake reply (has RE in subject, but has not References header)"; + name = "FAKE_REPLY_C"; + } + symbol { + weight = 1.0; + description = "Messages that have only HTML part"; + name = "MIME_HTML_ONLY"; + } + symbol { + weight = 2.0; + description = "Forged yahoo msgid"; + name = "FORGED_MSGID_YAHOO"; + } + symbol { + weight = 2.0; + description = "Forged The Bat! MUA headers"; + name = "FORGED_MUA_THEBAT_BOUN"; + } + symbol { + weight = 5.0; + description = "Charset is missing in a message"; + name = "R_MISSING_CHARSET"; + } + symbol { + weight = 2.0; + description = "Two received headers with ip addresses"; + name = "RCVD_DOUBLE_IP_SPAM"; + } + symbol { + weight = 5.0; + description = "Forged outlook HTML signature"; + name = "FORGED_OUTLOOK_HTML"; + } + symbol { + weight = 5.0; + description = "Recipients are absent or undisclosed"; + name = "R_UNDISC_RCPT"; + } + symbol { + weight = 2.0; + description = "Fake helo for verizon provider"; + name = "FM_FAKE_HELO_VERIZON"; + } + symbol { + weight = 2.0; + description = "Quoted reply-to from yahoo (seems to be forged)"; + name = "REPTO_QUOTE_YAHOO"; + } + symbol { + weight = 5.0; + description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; + name = "MISSING_MIMEOLE"; + } + symbol { + weight = 2.0; + description = "To header is missing"; + name = "MISSING_TO"; + } + symbol { + weight = 1.500000; + description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "FROM_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "FROM_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "TO_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "TO_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "REPLYTO_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "REPLYTO_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "CC_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "CC_EXCESS_QP"; + } + symbol { + weight = 5.0; + description = "Mixed characters in a message"; + name = "R_MIXED_CHARSET"; + } + symbol { + weight = 3.500000; + description = "Recipients list seems to be sorted"; + name = "SORTED_RECIPS"; + } + symbol { + weight = 3.0; + description = "Spambots signatures in received headers"; + name = "R_RCVD_SPAMBOTS"; + } + symbol { + weight = 2.0; + description = "To header seems to be autogenerated"; + name = "R_TO_SEEMS_AUTO"; + } + symbol { + weight = 1.0; + description = "Subject needs encoding"; + name = "SUBJECT_NEEDS_ENCODING"; + } + symbol { + weight = 3.840000; + description = "Spam string at the end of message to make statistics faults 0"; + name = "TRACKER_ID"; + } + symbol { + weight = 1.0; + description = "No space in from header"; + name = "R_NO_SPACE_IN_FROM"; + } + symbol { + weight = 8.0; + description = "Subject seems to be spam"; + name = "R_SAJDING"; + } + symbol { + weight = 3.0; + description = "Detects bad content-transfer-encoding for text parts"; + name = "R_BAD_CTE_7BIT"; + } + symbol { + weight = 10.0; + description = "Flash redirect on imageshack.us"; + name = "R_FLASH_REDIR_IMGSHACK"; + } + symbol { + weight = 5.0; + description = "Message id is incorrect"; + name = "INVALID_MSGID"; + } + symbol { + weight = 3.0; + description = "Message id is missing "; + name = "MISSING_MID"; + } + symbol { + weight = 1.0; + description = "Recipients are not the same as RCPT TO: mail command"; + name = "FORGED_RECIPIENTS"; + } + symbol { + weight = 0.0; + description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; + name = "FORGED_RECIPIENTS_MAILLIST"; + } + symbol { + weight = 0.0; + description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; + name = "FORGED_SENDER_MAILLIST"; + } + symbol { + weight = 2.0; + description = "Forged Exchange messages "; + name = "RATWARE_MS_HASH"; + } + symbol { + weight = 1.0; + description = "Reply-type in content-type"; + name = "STOX_REPLY_TYPE"; + } + symbol { + weight = 1.0; + description = "One received header in a message "; + name = "ONCE_RECEIVED"; + } + symbol { + weight = 4.0; + description = "One received header with 'bad' patterns inside"; + name = "ONCE_RECEIVED_STRICT"; + } + symbol { + weight = 2.0; + description = "Only Content-Type header without other MIME headers"; + name = "MIME_HEADER_CTYPE_ONLY"; + } + symbol { + weight = -1.0; + description = "Message seems to be from maillist"; + name = "MAILLIST"; + } + symbol { + weight = 1.0; + description = "Header From begins with tab"; + name = "HEADER_FROM_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header To begins with tab"; + name = "HEADER_TO_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Cc begins with tab"; + name = "HEADER_CC_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Reply-To begins with tab"; + name = "HEADER_REPLYTO_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Date begins with tab"; + name = "HEADER_DATE_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header From has no delimiter between header name and header value"; + name = "HEADER_FROM_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header To has no delimiter between header name and header value"; + name = "HEADER_TO_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Cc has no delimiter between header name and header value"; + name = "HEADER_CC_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Reply-To has no delimiter between header name and header value"; + name = "HEADER_REPLYTO_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Date has no delimiter between header name and header value"; + name = "HEADER_DATE_EMPTY_DELIMITER"; + } + symbol { + weight = 4.0; + description = "Header Received has raw illegal character"; + name = "RCVD_ILLEGAL_CHARS"; + } + symbol { + weight = 4.0; + description = "Fake helo mail.ru in header Received from non mail.ru sender address"; + name = "FAKE_RECEIVED_mail_ru"; + } + symbol { + weight = 4.0; + description = "Fake smtp.yandex.ru Received"; + name = "FAKE_RECEIVED_smtp_yandex_ru"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED2"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED3"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED4"; + } + symbol { + weight = 4.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED5"; + } + symbol { + weight = 3.0; + description = "Invalid Postfix Received"; + name = "INVALID_POSTFIX_RECEIVED"; + } + symbol { + weight = 5.0; + description = "Invalid Exim Received"; + name = "INVALID_EXIM_RECEIVED"; + } + symbol { + weight = 3.0; + description = "Invalid Exim Received"; + name = "INVALID_EXIM_RECEIVED2"; + } + } + + group { + name = "mua"; + symbol { + weight = 4.0; + description = "Message pretends to be send from The Bat! but has forged Message-ID"; + name = "FORGED_MUA_THEBAT_MSGID"; + } + symbol { + weight = 3.0; + description = "Message pretends to be send from The Bat! but has forged Message-ID"; + name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN"; + } + symbol { + weight = 3.0; + description = "Message pretends to be send from KMail but has forged Message-ID"; + name = "FORGED_MUA_KMAIL_MSGID"; + } + symbol { + weight = 2.500000; + description = "Message pretends to be send from KMail but has forged Message-ID"; + name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from Opera Mail but has forged Message-ID"; + name = "FORGED_MUA_OPERA_MSGID"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; + name = "SUSPICIOUS_OPERA_10W_MSGID"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; + name = "FORGED_MUA_MOZILLA_MAIL_MSGID"; + } + symbol { + weight = 2.500000; + description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; + name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; + name = "FORGED_MUA_THUNDERBIRD_MSGID"; + } + symbol { + weight = 2.500000; + description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; + name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; + name = "FORGED_MUA_SEAMONKEY_MSGID"; + } + symbol { + weight = 2.500000; + description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; + name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN"; + } + symbol { + weight = 3.0; + description = "Forged outlook MUA"; + name = "FORGED_MUA_OUTLOOK"; + } + } + symbol { + weight = 0.0; + description = "Avoid false positives for FORGED_MUA_* in maillist"; + name = "FORGED_MUA_MAILLIST"; + } + + group { + name = "body"; + symbol { + weight = 9.0; + description = "White color on white background in HTML messages"; + name = "R_WHITE_ON_WHITE"; + } + symbol { + weight = 3.0; + description = "Short html part with a link to an image"; + name = "HTML_SHORT_LINK_IMG_2"; + } + symbol { + weight = 5.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY"; + } + symbol { + weight = 4.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY2"; + } + symbol { + weight = 3.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY3"; + } + symbol { + weight = 4.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY4"; + } + symbol { + weight = 3.0; + description = "Text and HTML parts differ"; + name = "R_PARTS_DIFFER"; + } + + symbol { + weight = 2.0; + description = "Message contains empty parts and image "; + name = "R_EMPTY_IMAGE"; + } + symbol { + weight = 2.0; + description = "Drugs patterns inside message"; + name = "DRUGS_MANYKINDS"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ANXIETY"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_MUSCLE"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ANXIETY_EREC"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_DIET"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ERECTILE"; + } + symbol { + weight = 3.300000; + description = "2 'advance fee' patterns in a message"; + name = "ADVANCE_FEE_2"; + } + symbol { + weight = 2.120000; + description = "3 'advance fee' patterns in a message"; + name = "ADVANCE_FEE_3"; + } + symbol { + weight = 8.0; + description = "Lotto signatures"; + name = "R_LOTTO"; + } + } + + group { + name = "rbl"; + symbol { + name = "DNSWL_BLOCKED"; + weight = 0.0; + description = "Resolver blocked due to excessive queries"; + } + symbol { + name = "RCVD_IN_DNSWL"; + weight = 0.0; + description = "Sender listed at http://www.dnswl.org"; + } + symbol { + name = "RCVD_IN_DNSWL_NONE"; + weight = -0.05; + description = "Sender listed at http://www.dnswl.org, low none"; + } + symbol { + name = "RCVD_IN_DNSWL_LOW"; + weight = -0.1; + description = "Sender listed at http://www.dnswl.org, low trust"; + } + symbol { + name = "RCVD_IN_DNSWL_MED"; + weight = -1.0; + description = "Sender listed at http://www.dnswl.org, medium trust"; + } + symbol { + name = "RCVD_IN_DNSWL_HI"; + weight = -5.0; + description = "Sender listed at http://www.dnswl.org, high trust"; + } + + symbol { + name = "RBL_SPAMHAUS"; + weight = 0.0; + description = "From address is listed in zen"; + } + symbol { + name = "RBL_SPAMHAUS_SBL"; + weight = 2.0; + description = "From address is listed in zen sbl"; + } + symbol { + name = "RBL_SPAMHAUS_CSS"; + weight = 2.0; + description = "From address is listed in zen css"; + } + symbol { + name = "RBL_SPAMHAUS_XBL"; + weight = 4.0; + description = "From address is listed in zen xbl"; + } + symbol { + name = "RBL_SPAMHAUS_PBL"; + weight = 2.0; + description = "From address is listed in zen pbl"; + } + symbol { + name = "RECEIVED_SPAMHAUS_XBL"; + weight = 3.0; + description = "Received address is listed in zen pbl"; + one_shot = true; + } + + symbol { + name = "RWL_SPAMHAUS_WL"; + weight = 0.0; + description = "Sender listed at Spamhaus whitelist"; + } + symbol { + name = "RWL_SPAMHAUS_WL_IND"; + weight = 0.0; + description = "Sender listed at Spamhaus whitelist"; + } + symbol { + name = "RWL_SPAMHAUS_WL_TRANS"; + weight = 0.0; + description = "Sender listed at Spamhaus whitelist"; + } + symbol { + name = "RWL_SPAMHAUS_WL_IND_EXP"; + weight = 0.0; + description = "Sender listed at Spamhaus whitelist"; + } + symbol { + name = "RWL_SPAMHAUS_WL_TRANS_EXP"; + weight = 0.0; + description = "Sender listed at Spamhaus whitelist"; + } + + symbol { + weight = 2.0; + description = "From address is listed in senderscore.com BL"; + name = "RBL_SENDERSCORE"; + } + symbol { + weight = 1.0; + description = "From address is listed in ABUSE.CH BL"; + name = "RBL_ABUSECH"; + } + symbol { + weight = 1.0; + description = "From address is listed in UCEPROTECT LEVEL1 BL"; + name = "RBL_UCEPROTECT_LEVEL1"; + } + + symbol { + name = "RBL_MAILSPIKE_ZOMBIE"; + weight = 2.0; + description = "From address is listed in RBL"; + } + symbol { + name = "RBL_MAILSPIKE_WORST"; + weight = 2.0; + description = "From address is listed in RBL"; + } + symbol { + name = "RBL_MAILSPIKE_VERYBAD"; + weight = 1.5; + description = "From address is listed in RBL"; + } + symbol { + name = "RBL_MAILSPIKE_BAD"; + weight = 1.0; + description = "From address is listed in RBL"; + } + symbol { + name = "RWL_MAILSPIKE_POSSIBLE"; + weight = 0.0; + description = "From address is listed in RWL"; + } + symbol { + name = "RWL_MAILSPIKE_GOOD"; + weight = 0.0; + description = "From address is listed in RWL"; + } + symbol { + name = "RWL_MAILSPIKE_VERYGOOD"; + weight = 0.0; + description = "From address is listed in RWL"; + } + symbol { + name = "RWL_MAILSPIKE_EXCELLENT"; + weight = 0.0; + description = "From address is listed in RWL"; + } + + symbol { + weight = 1.0; + name = "RBL_SORBS"; + description = "From address is listed in SORBS RBL"; + } + symbol { + weight = 2.5; + name = "RBL_SORBS_HTTP"; + description = "List of Open HTTP Proxy Servers."; + } + symbol { + weight = 2.5; + name = "RBL_SORBS_SOCKS"; + description = "List of Open SOCKS Proxy Servers."; + } + symbol { + weight = 1.0; + name = "RBL_SORBS_MISC"; + description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; + } + symbol { + weight = 3.0; + name = "RBL_SORBS_SMTP"; + description = "List of Open SMTP relay servers."; + } + symbol { + weight = 1.5; + name = "RBL_SORBS_RECENT"; + description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; + } + symbol { + weight = 0.4; + name = "RBL_SORBS_WEB"; + description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; + } + symbol { + weight = 2.0; + name = "RBL_SORBS_DUL"; + description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; + } + symbol { + weight = 1.0; + name = "RBL_SORBS_BLOCK"; + description = "List of hosts demanding that they never be tested by SORBS."; + } + symbol { + weight = 1.0; + name = "RBL_SORBS_ZOMBIE"; + description = "List of networks hijacked from their original owners, some of which have already used for spamming."; + } + + symbol { + weight = 1.0; + name = "RBL_SEM"; + description = "Address is listed in Spameatingmonkey RBL"; + } + + symbol { + weight = 1.0; + name = "RBL_SEM_IPV6"; + description = "Address is listed in Spameatingmonkey RBL (ipv6)"; + } } - + group { - name = "mua"; - symbol { - weight = 4.0; - description = "Message pretends to be send from The Bat! but has forged Message-ID"; - name = "FORGED_MUA_THEBAT_MSGID"; - } - symbol { - weight = 3.0; - description = "Message pretends to be send from The Bat! but has forged Message-ID"; - name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN"; - } - symbol { - weight = 3.0; - description = "Message pretends to be send from KMail but has forged Message-ID"; - name = "FORGED_MUA_KMAIL_MSGID"; - } - symbol { - weight = 2.500000; - description = "Message pretends to be send from KMail but has forged Message-ID"; - name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN"; - } - symbol { - weight = 4.0; - description = "Message pretends to be send from Opera Mail but has forged Message-ID"; - name = "FORGED_MUA_OPERA_MSGID"; - } - symbol { - weight = 4.0; - description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; - name = "SUSPICIOUS_OPERA_10W_MSGID"; - } - symbol { - weight = 4.0; - description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; - name = "FORGED_MUA_MOZILLA_MAIL_MSGID"; - } - symbol { - weight = 2.500000; - description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; - name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN"; - } - symbol { - weight = 4.0; - description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; - name = "FORGED_MUA_THUNDERBIRD_MSGID"; - } - symbol { - weight = 2.500000; - description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; - name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN"; - } - symbol { - weight = 4.0; - description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; - name = "FORGED_MUA_SEAMONKEY_MSGID"; - } - symbol { - weight = 2.500000; - description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; - name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN"; - } - symbol { - weight = 3.0; - description = "Forged outlook MUA"; - name = "FORGED_MUA_OUTLOOK"; - } + name = "bayes"; + + symbol { + weight = 3.0; + description = "Message probably spam, probability: "; + name = "BAYES_SPAM"; + } + symbol { + weight = -3.0; + description = "Message probably ham, probability: "; + name = "BAYES_HAM"; + } } + + group { + name = "fuzzy"; + symbol { + weight = 5.0; + description = "Generic fuzzy hash match"; + name = "FUZZY_UNKNOWN"; + } + symbol { + weight = 10.0; + description = "Denied fuzzy hash"; + name = "FUZZY_DENIED"; + } + symbol { + weight = 5.0; + description = "Probable fuzzy hash"; + name = "FUZZY_PROB"; + } symbol { - weight = 0.0; - description = "Avoid false positives for FORGED_MUA_* in maillist"; - name = "FORGED_MUA_MAILLIST"; - } - - group { - name = "body"; - symbol { - weight = 9.0; - description = "White color on white background in HTML messages"; - name = "R_WHITE_ON_WHITE"; - } - symbol { - weight = 3.0; - description = "Short html part with a link to an image"; - name = "HTML_SHORT_LINK_IMG_2"; - } - symbol { - weight = 5.0; - description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY"; - } - symbol { - weight = 4.0; - description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY2"; - } - symbol { - weight = 3.0; - description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY3"; - } - symbol { - weight = 4.0; - description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY4"; - } - symbol { - weight = 3.0; - description = "Text and HTML parts differ"; - name = "R_PARTS_DIFFER"; - } - - symbol { - weight = 2.0; - description = "Message contains empty parts and image "; - name = "R_EMPTY_IMAGE"; - } - symbol { - weight = 2.0; - description = "Drugs patterns inside message"; - name = "DRUGS_MANYKINDS"; - } - symbol { - weight = 2.0; - description = ""; - name = "DRUGS_ANXIETY"; - } - symbol { - weight = 2.0; - description = ""; - name = "DRUGS_MUSCLE"; - } - symbol { - weight = 2.0; - description = ""; - name = "DRUGS_ANXIETY_EREC"; - } - symbol { - weight = 2.0; - description = ""; - name = "DRUGS_DIET"; - } - symbol { - weight = 2.0; - description = ""; - name = "DRUGS_ERECTILE"; - } - symbol { - weight = 3.300000; - description = "2 'advance fee' patterns in a message"; - name = "ADVANCE_FEE_2"; - } - symbol { - weight = 2.120000; - description = "3 'advance fee' patterns in a message"; - name = "ADVANCE_FEE_3"; - } - symbol { - weight = 8.0; - description = "Lotto signatures"; - name = "R_LOTTO"; - } + weight = -2.1; + description = "Whitelisted fuzzy hash"; + name = "FUZZY_WHITE"; + } } - + group { - name = "rbl"; - symbol { name = "DNSWL_BLOCKED"; weight = 0.0; description = "Resolver blocked due to excessive queries"; } - symbol { name = "RCVD_IN_DNSWL"; weight = 0.0; description = "Sender listed at http://www.dnswl.org"; } - symbol { name = "RCVD_IN_DNSWL_NONE"; weight = -0.05; description = "Sender listed at http://www.dnswl.org, low none"; } - symbol { name = "RCVD_IN_DNSWL_LOW"; weight = -0.1; description = "Sender listed at http://www.dnswl.org, low trust"; } - symbol { name = "RCVD_IN_DNSWL_MED"; weight = -1.0; description = "Sender listed at http://www.dnswl.org, medium trust"; } - symbol { name = "RCVD_IN_DNSWL_HI"; weight = -5.0; description = "Sender listed at http://www.dnswl.org, high trust"; } - - symbol { name = "RBL_SPAMHAUS"; weight = 0.0; description = "From address is listed in zen"; } - symbol { name = "RBL_SPAMHAUS_SBL"; weight = 2.0; description = "From address is listed in zen sbl"; } - symbol { name = "RBL_SPAMHAUS_CSS"; weight = 2.0; description = "From address is listed in zen css"; } - symbol { name = "RBL_SPAMHAUS_XBL"; weight = 4.0; description = "From address is listed in zen xbl"; } - symbol { name = "RBL_SPAMHAUS_PBL"; weight = 2.0; description = "From address is listed in zen pbl"; } - symbol { name = "RECEIVED_SPAMHAUS_XBL"; weight = 3.0; description = "Received address is listed in zen pbl"; one_shot = true; } - - symbol { name = "RWL_SPAMHAUS_WL"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { name = "RWL_SPAMHAUS_WL_IND"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { name = "RWL_SPAMHAUS_WL_TRANS"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { name = "RWL_SPAMHAUS_WL_IND_EXP"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { name = "RWL_SPAMHAUS_WL_TRANS_EXP"; weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - - symbol { - weight = 2.0; - description = "From address is listed in senderscore.com BL"; - name = "RBL_SENDERSCORE"; - } - symbol { - weight = 1.0; - description = "From address is listed in ABUSE.CH BL"; - name = "RBL_ABUSECH"; - } - symbol { - weight = 1.0; - description = "From address is listed in UCEPROTECT LEVEL1 BL"; - name = "RBL_UCEPROTECT_LEVEL1"; - } - - symbol { name = "RBL_MAILSPIKE_ZOMBIE"; weight = 2.0; description = "From address is listed in RBL"; } - symbol { name = "RBL_MAILSPIKE_WORST"; weight = 2.0; description = "From address is listed in RBL"; } - symbol { name = "RBL_MAILSPIKE_VERYBAD"; weight = 1.5; description = "From address is listed in RBL"; } - symbol { name = "RBL_MAILSPIKE_BAD"; weight = 1.0; description = "From address is listed in RBL"; } - symbol { name = "RWL_MAILSPIKE_POSSIBLE"; weight = 0.0; description = "From address is listed in RWL"; } - symbol { name = "RWL_MAILSPIKE_GOOD"; weight = 0.0; description = "From address is listed in RWL"; } - symbol { name = "RWL_MAILSPIKE_VERYGOOD"; weight = 0.0; description = "From address is listed in RWL"; } - symbol { name = "RWL_MAILSPIKE_EXCELLENT"; weight = 0.0; description = "From address is listed in RWL"; } - - symbol { - weight = 1.0; - name = "RBL_SORBS"; - description = "From address is listed in SORBS RBL"; - } - symbol { - weight = 2.5; - name = "RBL_SORBS_HTTP"; - description = "List of Open HTTP Proxy Servers."; - } - symbol { - weight = 2.5; - name = "RBL_SORBS_SOCKS"; - description = "List of Open SOCKS Proxy Servers."; - } - symbol { - weight = 1.0; - name = "RBL_SORBS_MISC"; - description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; - } - symbol { - weight = 3.0; - name = "RBL_SORBS_SMTP"; - description = "List of Open SMTP relay servers."; - } - symbol { - weight = 1.5; - name = "RBL_SORBS_RECENT"; - description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; - } - symbol { - weight = 0.4; - name = "RBL_SORBS_WEB"; - description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; - } - symbol { - weight = 2.0; - name = "RBL_SORBS_DUL"; - description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; - } - symbol { - weight = 1.0; - name = "RBL_SORBS_BLOCK"; - description = "List of hosts demanding that they never be tested by SORBS."; - } - symbol { - weight = 1.0; - name = "RBL_SORBS_ZOMBIE"; - description = "List of networks hijacked from their original owners, some of which have already used for spamming."; - } - - symbol { - weight = 1.0; - name = "RBL_SEM"; - description = "Address is listed in Spameatingmonkey RBL"; - } - - symbol { - weight = 1.0; - name = "RBL_SEM_IPV6"; - description = "Address is listed in Spameatingmonkey RBL (ipv6)"; - } - } - - group { - name = "bayes"; - - symbol { - weight = 3.0; - description = "Message probably spam, probability: "; - name = "BAYES_SPAM"; - } - symbol { - weight = -3.0; - description = "Message probably ham, probability: "; - name = "BAYES_HAM"; - } - } - - group { - name = "fuzzy"; - symbol { - weight = 5.0; - description = "Generic fuzzy hash match"; - name = "FUZZY_UNKNOWN"; - } - symbol { - weight = 10.0; - description = "Denied fuzzy hash"; - name = "FUZZY_DENIED"; - } - symbol { - weight = 5.0; - description = "Probable fuzzy hash"; - name = "FUZZY_PROB"; - } - symbol { - weight = -2.1; - description = "Whitelisted fuzzy hash"; - name = "FUZZY_WHITE"; - } - } - - group { - name = "spf"; - symbol { - weight = 1.0; - description = "SPF verification failed"; - name = "R_SPF_FAIL"; - } - symbol { - weight = 0.0; - description = "SPF verification soft-failed"; - name = "R_SPF_SOFTFAIL"; - } - symbol { - weight = 0.0; - description = "SPF policy is neutral"; - name = "R_SPF_NEUTRAL"; - } - symbol { - weight = -1.1; - description = "SPF verification alowed"; - name = "R_SPF_ALLOW"; - } - } - - group { - name = "dkim"; - symbol { - weight = 1.0; - description = "DKIM verification failed"; - name = "R_DKIM_REJECT"; - } - symbol { - weight = 0.0; - description = "DKIM verification soft-failed"; - name = "R_DKIM_TEMPFAIL"; - } - symbol { - weight = -1.1; - description = "DKIM verification succeed"; - name = "R_DKIM_ALLOW"; - } - } - + name = "spf"; + symbol { + weight = 1.0; + description = "SPF verification failed"; + name = "R_SPF_FAIL"; + } + symbol { + weight = 0.0; + description = "SPF verification soft-failed"; + name = "R_SPF_SOFTFAIL"; + } + symbol { + weight = 0.0; + description = "SPF policy is neutral"; + name = "R_SPF_NEUTRAL"; + } + symbol { + weight = -1.1; + description = "SPF verification alowed"; + name = "R_SPF_ALLOW"; + } + } + group { - name = "surbl"; - symbol { - weight = 5.500000; - description = "SURBL: Phishing sites"; - name = "PH_SURBL_MULTI"; - } - symbol { - weight = 5.500000; - description = "SURBL: Malware sites"; - name = "MW_SURBL_MULTI"; - } - symbol { - weight = 5.500000; - description = "SURBL: AbuseButler web sites"; - name = "AB_SURBL_MULTI"; - } - symbol { - weight = 5.500000; - description = "SURBL: SpamCop web sites"; - name = "SC_SURBL_MULTI"; - } - symbol { - weight = 5.500000; - description = "SURBL: jwSpamSpy + Prolocation sites"; - name = "JP_SURBL_MULTI"; - } - symbol { - weight = 5.500000; - description = "SURBL: sa-blacklist web sites "; - name = "WS_SURBL_MULTI"; - } - symbol { - weight = 4.500000; - description = "rambler.ru uribl"; - name = "RAMBLER_URIBL"; - } - - symbol { weight = 0.0; name = "SEM_URIBL_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; } - symbol { weight = 3.5; name = "SEM_URIBL"; description = "Spameatingmonkey uribl"; } - - symbol { weight = 0.0; name = "SEM_URIBL_FRESH15_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; } - symbol { weight = 3.0; name = "SEM_URIBL_FRESH15"; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } - - symbol { - weight = 0.000000; - description = "DBL uribl unknown symbol (error)"; - name = "DBL"; - } - symbol { - weight = 6.500000; - description = "DBL uribl spam"; - name = "DBL_SPAM"; - } - symbol { - weight = 6.500000; - description = "DBL uribl phishing"; - name = "DBL_PHISH"; - } - symbol { - weight = 6.500000; - description = "DBL uribl malware"; - name = "DBL_MALWARE"; - } - symbol { - weight = 5.500000; - description = "DBL uribl botnet C&C domain"; - name = "DBL_BOTNET"; - } - symbol { - weight = 6.500000; - description = "DBL uribl abused legit spam"; - name = "DBL_ABUSE"; - } - symbol { - weight = 7.500000; - description = "DBL uribl abused spammed redirector domain"; - name = "DBL_ABUSE_REDIR"; - } - symbol { - weight = 7.500000; - description = "DBL uribl abused legit phish"; - name = "DBL_ABUSE_PHISH"; - } - symbol { - weight = 7.500000; - description = "DBL uribl abused legit malware"; - name = "DBL_ABUSE_MALWARE"; - } - symbol { - weight = 5.500000; - description = "DBL uribl abused legit botnet C&C"; - name = "DBL_ABUSE_BOTNET"; - } - symbol { - weight = 0.00000; - description = "DBL uribl IP queries prohibited!"; - name = "DBL_PROHIBIT"; - } - symbol { - weight = 7.5; - description = "uribl.com black url"; - name = "URIBL_BLACK"; - } - symbol { - weight = 3.5; - description = "uribl.com red url"; - name = "URIBL_RED"; - } - symbol { - weight = 1.5; - description = "uribl.com grey url"; - name = "URIBL_GREY"; - } - symbol { - weight = 9.500000; - description = "rambler.ru emailbl"; - name = "RAMBLER_EMAILBL"; - } + name = "dkim"; + symbol { + weight = 1.0; + description = "DKIM verification failed"; + name = "R_DKIM_REJECT"; + } + symbol { + weight = 0.0; + description = "DKIM verification soft-failed"; + name = "R_DKIM_TEMPFAIL"; + } + symbol { + weight = -1.1; + description = "DKIM verification succeed"; + name = "R_DKIM_ALLOW"; + } } - + group { - name = "phishing"; - - symbol { - weight = 5.0; - description = "Phished mail"; - name = "PHISHING"; - } + name = "surbl"; + symbol { + weight = 5.500000; + description = "SURBL: Phishing sites"; + name = "PH_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SURBL: Malware sites"; + name = "MW_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SURBL: AbuseButler web sites"; + name = "AB_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SURBL: SpamCop web sites"; + name = "SC_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SURBL: jwSpamSpy + Prolocation sites"; + name = "JP_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SURBL: sa-blacklist web sites "; + name = "WS_SURBL_MULTI"; + } + symbol { + weight = 4.500000; + description = "rambler.ru uribl"; + name = "RAMBLER_URIBL"; + } + + symbol { + weight = 0.0; + name = "SEM_URIBL_UNKNOWN"; + description = "Spameatingmonkey uribl unknown"; + } + symbol { + weight = 3.5; + name = "SEM_URIBL"; + description = "Spameatingmonkey uribl"; + } + + symbol { + weight = 0.0; + name = "SEM_URIBL_FRESH15_UNKNOWN"; + description = "Spameatingmonkey uribl unknown"; + } + symbol { + weight = 3.0; + name = "SEM_URIBL_FRESH15"; + description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; + } + + symbol { + weight = 0.000000; + description = "DBL uribl unknown symbol (error)"; + name = "DBL"; + } + symbol { + weight = 6.500000; + description = "DBL uribl spam"; + name = "DBL_SPAM"; + } + symbol { + weight = 6.500000; + description = "DBL uribl phishing"; + name = "DBL_PHISH"; + } + symbol { + weight = 6.500000; + description = "DBL uribl malware"; + name = "DBL_MALWARE"; + } + symbol { + weight = 5.500000; + description = "DBL uribl botnet C&C domain"; + name = "DBL_BOTNET"; + } + symbol { + weight = 6.500000; + description = "DBL uribl abused legit spam"; + name = "DBL_ABUSE"; + } + symbol { + weight = 7.500000; + description = "DBL uribl abused spammed redirector domain"; + name = "DBL_ABUSE_REDIR"; + } + symbol { + weight = 7.500000; + description = "DBL uribl abused legit phish"; + name = "DBL_ABUSE_PHISH"; + } + symbol { + weight = 7.500000; + description = "DBL uribl abused legit malware"; + name = "DBL_ABUSE_MALWARE"; + } + symbol { + weight = 5.500000; + description = "DBL uribl abused legit botnet C&C"; + name = "DBL_ABUSE_BOTNET"; + } + symbol { + weight = 0.00000; + description = "DBL uribl IP queries prohibited!"; + name = "DBL_PROHIBIT"; + } + symbol { + weight = 7.5; + description = "uribl.com black url"; + name = "URIBL_BLACK"; + } + symbol { + weight = 3.5; + description = "uribl.com red url"; + name = "URIBL_RED"; + } + symbol { + weight = 1.5; + description = "uribl.com grey url"; + name = "URIBL_GREY"; + } + symbol { + weight = 9.500000; + description = "rambler.ru emailbl"; + name = "RAMBLER_EMAILBL"; + } } - - group { - name = "date"; - - symbol { - weight = 4.0; - description = "Message date is in future"; - name = "DATE_IN_FUTURE"; - } - symbol { - weight = 1.0; - description = "Message date is in past"; - name = "DATE_IN_PAST"; - } - symbol { - weight = 1.0; - description = "Message date is missing"; - name = "MISSING_DATE"; - } + + group { + name = "phishing"; + + symbol { + weight = 5.0; + description = "Phished mail"; + name = "PHISHING"; + } } - - group { - name = "hfilter"; - - symbol { weight = 4.00; name = "HFILTER_HELO_BAREIP"; description = "Helo host is bare ip"; } - symbol { weight = 4.50; name = "HFILTER_HELO_BADIP"; description = "Helo host is very bad ip"; } - symbol { weight = 4.00; name = "HFILTER_HELO_UNKNOWN"; description = "Helo host empty or unknown"; } - symbol { weight = 1.00; name = "HFILTER_HELO_1"; description = "Helo host checks (very low)"; } - symbol { weight = 2.00; name = "HFILTER_HELO_2"; description = "Helo host checks (low)"; } - symbol { weight = 3.00; name = "HFILTER_HELO_3"; description = "Helo host checks (medium)"; } - symbol { weight = 3.50; name = "HFILTER_HELO_4"; description = "Helo host checks (hard)"; } - symbol { weight = 4.00; name = "HFILTER_HELO_5"; description = "Helo host checks (very hard)"; } - symbol { weight = 1.00; name = "HFILTER_HOSTNAME_1"; description = "Hostname checks (very low)"; } - symbol { weight = 2.00; name = "HFILTER_HOSTNAME_2"; description = "Hostname checks (low)"; } - symbol { weight = 3.00; name = "HFILTER_HOSTNAME_3"; description = "Hostname checks (medium)"; } - symbol { weight = 3.50; name = "HFILTER_HOSTNAME_4"; description = "Hostname checks (hard)"; } - symbol { weight = 4.00; name = "HFILTER_HOSTNAME_5"; description = "Hostname checks (very hard)"; } - symbol { weight = 1.50; name = "HFILTER_HELO_NORESOLVE_MX"; description = "MX found in Helo and no resolve"; } - symbol { weight = 2.00; name = "HFILTER_HELO_NORES_A_OR_MX"; description = "Helo no resolve to A or MX"; } - symbol { weight = 1.00; name = "HFILTER_HELO_IP_A"; description = "Helo A IP != hostname IP"; } - symbol { weight = 3.00; name = "HFILTER_HELO_NOT_FQDN"; description = "Helo not FQDN"; } - symbol { weight = 1.50; name = "HFILTER_FROMHOST_NORESOLVE_MX"; description = "MX found in FROM host and no resolve"; } - symbol { weight = 3.50; name = "HFILTER_FROMHOST_NORES_A_OR_MX"; description = "FROM host no resolve to A or MX"; } - symbol { weight = 4.00; name = "HFILTER_FROMHOST_NOT_FQDN"; description = "FROM host not FQDN"; } - symbol { weight = 0.00; name = "HFILTER_FROM_BOUNCE"; description = "Bounce message"; } - symbol { weight = 0.50; name = "HFILTER_MID_NORESOLVE_MX"; description = "MX found in Message-id host and no resolve"; } - symbol { weight = 0.50; name = "HFILTER_MID_NORES_A_OR_MX"; description = "Message-id host no resolve to A or MX"; } - symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; } - symbol { weight = 4.00; name = "HFILTER_HOSTNAME_UNKNOWN"; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; } - symbol { weight = 1.50; name = "HFILTER_RCPT_BOUNCEMOREONE"; description = "Message from bounce and over 1 recepient"; } - symbol { weight = 3.50; name = "HFILTER_URL_ONLY"; description = "URL only in body"; } - symbol { weight = 2.20; name = "HFILTER_URL_ONELINE"; description = "One line URL and text in body"; } + + group { + name = "date"; + + symbol { + weight = 4.0; + description = "Message date is in future"; + name = "DATE_IN_FUTURE"; + } + symbol { + weight = 1.0; + description = "Message date is in past"; + name = "DATE_IN_PAST"; } + symbol { + weight = 1.0; + description = "Message date is missing"; + name = "MISSING_DATE"; + } + } + + group { + name = "hfilter"; + + symbol { + weight = 4.00; + name = "HFILTER_HELO_BAREIP"; + description = "Helo host is bare ip"; + } + symbol { + weight = 4.50; + name = "HFILTER_HELO_BADIP"; + description = "Helo host is very bad ip"; + } + symbol { + weight = 4.00; + name = "HFILTER_HELO_UNKNOWN"; + description = "Helo host empty or unknown"; + } + symbol { + weight = 1.00; + name = "HFILTER_HELO_1"; + description = "Helo host checks (very low)"; + } + symbol { + weight = 2.00; + name = "HFILTER_HELO_2"; + description = "Helo host checks (low)"; + } + symbol { + weight = 3.00; + name = "HFILTER_HELO_3"; + description = "Helo host checks (medium)"; + } + symbol { + weight = 3.50; + name = "HFILTER_HELO_4"; + description = "Helo host checks (hard)"; + } + symbol { + weight = 4.00; + name = "HFILTER_HELO_5"; + description = "Helo host checks (very hard)"; + } + symbol { + weight = 1.00; + name = "HFILTER_HOSTNAME_1"; + description = "Hostname checks (very low)"; + } + symbol { + weight = 2.00; + name = "HFILTER_HOSTNAME_2"; + description = "Hostname checks (low)"; + } + symbol { + weight = 3.00; + name = "HFILTER_HOSTNAME_3"; + description = "Hostname checks (medium)"; + } + symbol { + weight = 3.50; + name = "HFILTER_HOSTNAME_4"; + description = "Hostname checks (hard)"; + } + symbol { + weight = 4.00; + name = "HFILTER_HOSTNAME_5"; + description = "Hostname checks (very hard)"; + } + symbol { + weight = 1.50; + name = "HFILTER_HELO_NORESOLVE_MX"; + description = "MX found in Helo and no resolve"; + } + symbol { + weight = 2.00; + name = "HFILTER_HELO_NORES_A_OR_MX"; + description = "Helo no resolve to A or MX"; + } + symbol { + weight = 1.00; + name = "HFILTER_HELO_IP_A"; + description = "Helo A IP != hostname IP"; + } + symbol { + weight = 3.00; + name = "HFILTER_HELO_NOT_FQDN"; + description = "Helo not FQDN"; + } + symbol { + weight = 1.50; + name = "HFILTER_FROMHOST_NORESOLVE_MX"; + description = "MX found in FROM host and no resolve"; + } + symbol { + weight = 3.50; + name = "HFILTER_FROMHOST_NORES_A_OR_MX"; + description = "FROM host no resolve to A or MX"; + } + symbol { + weight = 4.00; + name = "HFILTER_FROMHOST_NOT_FQDN"; + description = "FROM host not FQDN"; + } + symbol { + weight = 0.00; + name = "HFILTER_FROM_BOUNCE"; + description = "Bounce message"; + } + symbol { + weight = 0.50; + name = "HFILTER_MID_NORESOLVE_MX"; + description = "MX found in Message-id host and no resolve"; + } + symbol { + weight = 0.50; + name = "HFILTER_MID_NORES_A_OR_MX"; + description = "Message-id host no resolve to A or MX"; + } + symbol { + weight = 0.50; + name = "HFILTER_MID_NOT_FQDN"; + description = "Message-id host not FQDN"; + } + symbol { + weight = 4.00; + name = "HFILTER_HOSTNAME_UNKNOWN"; + description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; + } + symbol { + weight = 1.50; + name = "HFILTER_RCPT_BOUNCEMOREONE"; + description = "Message from bounce and over 1 recepient"; + } + symbol { + weight = 3.50; + name = "HFILTER_URL_ONLY"; + description = "URL only in body"; + } + symbol { + weight = 2.20; + name = "HFILTER_URL_ONELINE"; + description = "One line URL and text in body"; + } + } } diff --git a/conf/modules.conf b/conf/modules.conf index 3bd62c672..ad875ece3 100644 --- a/conf/modules.conf +++ b/conf/modules.conf @@ -1,36 +1,40 @@ # Rspamd modules configuration + fuzzy_check { min_bytes = 300; - rule { - servers = "highsecure.ru:11335"; - symbol = "FUZZY_UNKNOWN"; - mime_types = "application/pdf"; - max_score = 20.0; - read_only = yes; - skip_unknown = yes; - fuzzy_map = { - FUZZY_DENIED { - max_score = 20.0; - flag = 1 - } - FUZZY_PROB { - max_score = 10.0; - flag = 2 - } - FUZZY_WHITE { - max_score = 2.0; - flag = 3 - } - } - } + rule { + servers = "highsecure.ru:11335"; + symbol = "FUZZY_UNKNOWN"; + mime_types = "application/pdf"; + max_score = 20.0; + read_only = yes; + skip_unknown = yes; + fuzzy_map = { + FUZZY_DENIED { + max_score = 20.0; + flag = 1; + } + FUZZY_PROB { + max_score = 10.0; + flag = 2; + } + FUZZY_WHITE { + max_score = 2.0; + flag = 3; + } + } + } } + forged_recipients { symbol_sender = "FORGED_SENDER"; symbol_rcpt = "FORGED_RECIPIENTS"; } + maillist { symbol = "MAILLIST"; } + surbl { whitelist = "file://$CONFDIR/surbl-whitelist.inc"; exceptions = "file://$CONFDIR/2tld.inc"; @@ -65,16 +69,26 @@ surbl { symbol = "DBL"; options = "noip"; ips = { - DBL_SPAM = "127.0.1.2"; # spam domain - DBL_PHISH = "127.0.1.4"; # phish domain - DBL_MALWARE = "127.0.1.5"; # malware domain - DBL_BOTNET = "127.0.1.6"; # botnet C&C domain - DBL_ABUSE = "127.0.1.102"; # abused legit spam - DBL_ABUSE_REDIR = "127.0.1.103"; # abused spammed redirector domain - DBL_ABUSE_PHISH = "127.0.1.104"; # abused legit phish - DBL_ABUSE_MALWARE = "127.0.1.105"; # abused legit malware - DBL_ABUSE_BOTNET = "127.0.1.106"; # abused legit botnet C&C - DBL_PROHIBIT = "127.0.1.255"; # IP queries prohibited! + # spam domain + DBL_SPAM = "127.0.1.2"; + # phish domain + DBL_PHISH = "127.0.1.4"; + # malware domain + DBL_MALWARE = "127.0.1.5"; + # botnet C&C domain + DBL_BOTNET = "127.0.1.6"; + # abused legit spam + DBL_ABUSE = "127.0.1.102"; + # abused spammed redirector domain + DBL_ABUSE_REDIR = "127.0.1.103"; + # abused legit phish + DBL_ABUSE_PHISH = "127.0.1.104"; + # abused legit malware + DBL_ABUSE_MALWARE = "127.0.1.105"; + # abused legit botnet C&C + DBL_ABUSE_BOTNET = "127.0.1.106"; + # error - IP queries prohibited! + DBL_PROHIBIT = "127.0.1.255"; } } rule { @@ -94,150 +108,152 @@ surbl { options = "noip"; } } + rbl { - default_from = true; - default_received = false; - default_exclude_users = true; - - private_ips = "127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 100.64.0.0/10 fc00::/7 fe80::/10 fec0::/10 ::1"; - - rbls { - - spamhaus { - symbol = "RBL_SPAMHAUS"; - rbl = "zen.spamhaus.org"; - ipv6 = true; - returncodes { - RBL_SPAMHAUS_SBL = "127.0.0.2"; - RBL_SPAMHAUS_CSS = "127.0.0.3"; - RBL_SPAMHAUS_XBL = "127.0.0.4"; - RBL_SPAMHAUS_XBL = "127.0.0.5"; - RBL_SPAMHAUS_XBL = "127.0.0.6"; - RBL_SPAMHAUS_XBL = "127.0.0.7"; - RBL_SPAMHAUS_PBL = "127.0.0.10"; - RBL_SPAMHAUS_PBL = "127.0.0.11"; + default_from = true; + default_received = false; + default_exclude_users = true; + + private_ips = "127.0.0.0/8 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 100.64.0.0/10 fc00::/7 fe80::/10 fec0::/10 ::1"; + + rbls { + + spamhaus { + symbol = "RBL_SPAMHAUS"; + rbl = "zen.spamhaus.org"; + ipv6 = true; + returncodes { + RBL_SPAMHAUS_SBL = "127.0.0.2"; + RBL_SPAMHAUS_CSS = "127.0.0.3"; + RBL_SPAMHAUS_XBL = "127.0.0.4"; + RBL_SPAMHAUS_XBL = "127.0.0.5"; + RBL_SPAMHAUS_XBL = "127.0.0.6"; + RBL_SPAMHAUS_XBL = "127.0.0.7"; + RBL_SPAMHAUS_PBL = "127.0.0.10"; + RBL_SPAMHAUS_PBL = "127.0.0.11"; + } } - } - spamhaus_xbl { - symbol = "RECEIVED_SPAMHAUS_XBL"; - rbl = "xbl.spamhaus.org"; - ipv6 = true; - received = true; - from = false; - } - - spamhaus_swl { - symbol = "RWL_SPAMHAUS_WL"; - rbl = "swl.spamhaus.org"; - ipv6 = true; - is_whitelist = true; - returncodes { - RWL_SPAMHAUS_WL_IND = "127.0.2.2"; - RWL_SPAMHAUS_WL_TRANS = "127.0.2.3"; - RWL_SPAMHAUS_WL_IND_EXP = "127.0.2.102"; - RWL_SPAMHAUS_WL_TRANS_EXP = "127.0.2.103"; + spamhaus_xbl { + symbol = "RECEIVED_SPAMHAUS_XBL"; + rbl = "xbl.spamhaus.org"; + ipv6 = true; + received = true; + from = false; } - } - mailspike_bl { - rbl = "bl.mailspike.net"; - returncodes { - RBL_MAILSPIKE_ZOMBIE = "127.0.0.2"; - RBL_MAILSPIKE_WORST = "127.0.0.10"; - RBL_MAILSPIKE_VERYBAD = "127.0.0.11"; - RBL_MAILSPIKE_BAD = "127.0.0.12"; - } - } + spamhaus_swl { + symbol = "RWL_SPAMHAUS_WL"; + rbl = "swl.spamhaus.org"; + ipv6 = true; + is_whitelist = true; + returncodes { + RWL_SPAMHAUS_WL_IND = "127.0.2.2"; + RWL_SPAMHAUS_WL_TRANS = "127.0.2.3"; + RWL_SPAMHAUS_WL_IND_EXP = "127.0.2.102"; + RWL_SPAMHAUS_WL_TRANS_EXP = "127.0.2.103"; + } + } - mailspike_wl { - rbl = "wl.mailspike.net"; - is_whitelist = true; - returncodes { - RWL_MAILSPIKE_POSSIBLE = "127.0.0.17"; - RWL_MAILSPIKE_GOOD = "127.0.0.18"; - RWL_MAILSPIKE_VERYGOOD = "127.0.0.19"; - RWL_MAILSPIKE_EXCELLENT = "127.0.0.20"; - } - } - - senderscore { - symbol = "RBL_SENDERSCORE"; - rbl = "bl.score.senderscore.com"; - } - - abusech { - symbol = "RBL_ABUSECH"; - rbl = "spam.abuse.ch"; - } - - uceprotect1 { - symbol = "RBL_UCEPROTECT_LEVEL1"; - rbl = "dnsbl-1.uceprotect.net"; - } - - sorbs { - symbol = "RBL_SORBS"; - rbl = "dnsbl.sorbs.net"; - returncodes { - #http://www.sorbs.net/general/using.shtml - RBL_SORBS_HTTP = "127.0.0.2" - RBL_SORBS_SOCKS = "127.0.0.3" - RBL_SORBS_MISC = "127.0.0.4" - RBL_SORBS_SMTP = "127.0.0.5" - RBL_SORBS_RECENT = "127.0.0.6" - RBL_SORBS_WEB = "127.0.0.7" - RBL_SORBS_DUL = "127.0.0.10" - RBL_SORBS_BLOCK = "127.0.0.8" - RBL_SORBS_ZOMBIE = "127.0.0.9" - } - } - - sem { - symbol = "RBL_SEM"; - rbl = "bl.spameatingmonkey.net"; - } - - semIPv6 { - symbol = "RBL_SEM_IPV6"; - rbl = "bl.ipv6.spameatingmonkey.net"; - ipv4 = false; - ipv6 = true; - } + mailspike_bl { + rbl = "bl.mailspike.net"; + returncodes { + RBL_MAILSPIKE_ZOMBIE = "127.0.0.2"; + RBL_MAILSPIKE_WORST = "127.0.0.10"; + RBL_MAILSPIKE_VERYBAD = "127.0.0.11"; + RBL_MAILSPIKE_BAD = "127.0.0.12"; + } + } - dnswl { - symbol = "RCVD_IN_DNSWL"; - rbl = "list.dnswl.org"; - ipv6 = true; - is_whitelist = true; - returncodes { - RCVD_IN_DNSWL_NONE = "127.0.%d+.0"; - RCVD_IN_DNSWL_LOW = "127.0.%d+.1"; - RCVD_IN_DNSWL_MED = "127.0.%d+.2"; - RCVD_IN_DNSWL_HI = "127.0.%d+.3"; - DNSWL_BLOCKED = "127.0.0.255"; + mailspike_wl { + rbl = "wl.mailspike.net"; + is_whitelist = true; + returncodes { + RWL_MAILSPIKE_POSSIBLE = "127.0.0.17"; + RWL_MAILSPIKE_GOOD = "127.0.0.18"; + RWL_MAILSPIKE_VERYGOOD = "127.0.0.19"; + RWL_MAILSPIKE_EXCELLENT = "127.0.0.20"; + } } - } - rambleremails { - symbol = RAMBLER_EMAILBL; - rbl = email-bl.rambler.ru; - from = false; - emails = true; - exclude_users = false; - exclude_private_ips = false; - exclude_local = false; - ignore_whitelists = true; - } + senderscore { + symbol = "RBL_SENDERSCORE"; + rbl = "bl.score.senderscore.com"; + } + + abusech { + symbol = "RBL_ABUSECH"; + rbl = "spam.abuse.ch"; + } + + uceprotect1 { + symbol = "RBL_UCEPROTECT_LEVEL1"; + rbl = "dnsbl-1.uceprotect.net"; + } + + sorbs { + symbol = "RBL_SORBS"; + rbl = "dnsbl.sorbs.net"; + returncodes { + # http:// www.sorbs.net/general/using.shtml + RBL_SORBS_HTTP = "127.0.0.2"; + RBL_SORBS_SOCKS = "127.0.0.3"; + RBL_SORBS_MISC = "127.0.0.4"; + RBL_SORBS_SMTP = "127.0.0.5"; + RBL_SORBS_RECENT = "127.0.0.6"; + RBL_SORBS_WEB = "127.0.0.7"; + RBL_SORBS_DUL = "127.0.0.10"; + RBL_SORBS_BLOCK = "127.0.0.8"; + RBL_SORBS_ZOMBIE = "127.0.0.9"; + } + } + + sem { + symbol = "RBL_SEM"; + rbl = "bl.spameatingmonkey.net"; + } - } + semIPv6 { + symbol = "RBL_SEM_IPV6"; + rbl = "bl.ipv6.spameatingmonkey.net"; + ipv4 = false; + ipv6 = true; + } + + dnswl { + symbol = "RCVD_IN_DNSWL"; + rbl = "list.dnswl.org"; + ipv6 = true; + is_whitelist = true; + returncodes { + RCVD_IN_DNSWL_NONE = "127.0.%d+.0"; + RCVD_IN_DNSWL_LOW = "127.0.%d+.1"; + RCVD_IN_DNSWL_MED = "127.0.%d+.2"; + RCVD_IN_DNSWL_HI = "127.0.%d+.3"; + DNSWL_BLOCKED = "127.0.0.255"; + } + } + + rambleremails { + symbol = RAMBLER_EMAILBL; + rbl = "email-bl.rambler.ru"; + from = false; + emails = true; + exclude_users = false; + exclude_private_ips = false; + exclude_local = false; + ignore_whitelists = true; + } + + } } chartable { threshold = 0.300000; symbol = "R_MIXED_CHARSET"; } + once_received { good_host = "mail"; bad_host = "static"; @@ -252,12 +268,15 @@ once_received { phishing { symbol = "PHISHING"; } + #emails { #} + spf { spf_cache_size = 2k; spf_cache_expire = 1d; } + dkim { dkim_cache_size = 2k; dkim_cache_expire = 1d; @@ -282,12 +301,12 @@ regexp { } ip_score { -# servers = "localhost"; -# treshold = 100; -# reject_score = 3; -# no_action_score = -2; -# add_header_score = 1; -# whitelist = "file:///ip_map"; +# servers = "localhost"; +# treshold = 100; +# reject_score = 3; +# no_action_score = -2; +# add_header_score = 1; +# whitelist = "file:///ip_map"; } hfilter { -- 2.39.5