mirror of
https://github.com/rspamd/rspamd.git
synced 2024-09-13 23:56:50 +02:00
1034 lines
34 KiB
Plaintext
1034 lines
34 KiB
Plaintext
# Metrics settings
|
|
# Please don't modify this file as your changes might be overwritten with
|
|
# the next update.
|
|
#
|
|
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
|
|
# parameters defined on the top level
|
|
#
|
|
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
|
|
# parameters defined on the top level
|
|
#
|
|
# For specific modules or configuration you can also modify
|
|
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
|
|
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
|
|
#
|
|
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
|
|
|
|
metric {
|
|
name = "default";
|
|
# If this param is set to non-zero
|
|
# then a metric would accept all symbols
|
|
# unknown_weight = 1.0
|
|
|
|
actions {
|
|
reject = 15;
|
|
add_header = 6;
|
|
greylist = 4;
|
|
}
|
|
|
|
group "header" {
|
|
symbol "MISSING_SUBJECT" {
|
|
weight = 2.0;
|
|
description = "Subject is missing inside message";
|
|
}
|
|
symbol "FORGED_OUTLOOK_TAGS" {
|
|
weight = 2.100000;
|
|
description = "Message pretends to be send from Outlook but has 'strange' tags ";
|
|
}
|
|
symbol "FORGED_SENDER" {
|
|
weight = 0.30;
|
|
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
|
|
}
|
|
symbol "SUSPICIOUS_RECIPS" {
|
|
weight = 1.500000;
|
|
description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
|
|
}
|
|
symbol "MIME_HTML_ONLY" {
|
|
weight = 0.2;
|
|
description = "Messages that have only HTML part";
|
|
}
|
|
symbol "FORGED_MSGID_YAHOO" {
|
|
weight = 2.0;
|
|
description = "Forged yahoo msgid";
|
|
}
|
|
symbol "FORGED_MUA_THEBAT_BOUN" {
|
|
weight = 2.0;
|
|
description = "Forged The Bat! MUA headers";
|
|
}
|
|
symbol "R_MISSING_CHARSET" {
|
|
weight = 2.5;
|
|
description = "Charset is missing in a message";
|
|
}
|
|
symbol "RCVD_DOUBLE_IP_SPAM" {
|
|
weight = 2.0;
|
|
description = "Two received headers with ip addresses";
|
|
}
|
|
symbol "FORGED_OUTLOOK_HTML" {
|
|
weight = 5.0;
|
|
description = "Forged outlook HTML signature";
|
|
}
|
|
symbol "R_UNDISC_RCPT" {
|
|
weight = 3.0;
|
|
description = "Recipients are absent or undisclosed";
|
|
}
|
|
symbol "FM_FAKE_HELO_VERIZON" {
|
|
weight = 2.0;
|
|
description = "Fake helo for verizon provider";
|
|
}
|
|
symbol "REPTO_QUOTE_YAHOO" {
|
|
weight = 2.0;
|
|
description = "Quoted reply-to from yahoo (seems to be forged)";
|
|
}
|
|
symbol "MISSING_MIMEOLE" {
|
|
weight = 5.0;
|
|
description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
|
|
}
|
|
symbol "MISSING_TO" {
|
|
weight = 2.0;
|
|
description = "To header is missing";
|
|
}
|
|
symbol "FROM_EXCESS_BASE64" {
|
|
weight = 1.5;
|
|
description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "FROM_EXCESS_QP" {
|
|
weight = 1.2;
|
|
description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "TO_EXCESS_BASE64" {
|
|
weight = 1.5;
|
|
description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "TO_EXCESS_QP" {
|
|
weight = 1.2;
|
|
description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "REPLYTO_EXCESS_BASE64" {
|
|
weight = 1.5;
|
|
description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "REPLYTO_EXCESS_QP" {
|
|
weight = 1.2;
|
|
description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "CC_EXCESS_BASE64" {
|
|
weight = 1.5;
|
|
description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "CC_EXCESS_QP" {
|
|
weight = 1.2;
|
|
description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
|
|
}
|
|
symbol "R_MIXED_CHARSET" {
|
|
weight = 5.0;
|
|
description = "Mixed characters in a message";
|
|
}
|
|
symbol "SORTED_RECIPS" {
|
|
weight = 3.500000;
|
|
description = "Recipients list seems to be sorted";
|
|
}
|
|
symbol "R_RCVD_SPAMBOTS" {
|
|
weight = 3.0;
|
|
description = "Spambots signatures in received headers";
|
|
}
|
|
symbol "SUBJECT_NEEDS_ENCODING" {
|
|
weight = 1.0;
|
|
description = "Subject needs encoding";
|
|
}
|
|
symbol "TRACKER_ID" {
|
|
weight = 3.84;
|
|
description = "Spam string at the end of message to make statistics faults 0";
|
|
}
|
|
symbol "R_NO_SPACE_IN_FROM" {
|
|
weight = 1.0;
|
|
description = "No space in from header";
|
|
}
|
|
symbol "R_SAJDING" {
|
|
weight = 8.0;
|
|
description = "Subject seems to be spam";
|
|
}
|
|
symbol "R_BAD_CTE_7BIT" {
|
|
weight = 3.0;
|
|
description = "Detects bad content-transfer-encoding for text parts";
|
|
}
|
|
symbol "R_FLASH_REDIR_IMGSHACK" {
|
|
weight = 10.0;
|
|
description = "Flash redirect on imageshack.us";
|
|
}
|
|
symbol "INVALID_MSGID" {
|
|
weight = 1.7;
|
|
description = "Message id is incorrect";
|
|
}
|
|
symbol "MISSING_MID" {
|
|
weight = 2.5;
|
|
description = "Message id is missing ";
|
|
}
|
|
symbol "FORGED_RECIPIENTS" {
|
|
weight = 2.0;
|
|
description = "Recipients are not the same as RCPT TO: mail command";
|
|
}
|
|
symbol "FORGED_RECIPIENTS_MAILLIST" {
|
|
weight = 0.0;
|
|
description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
|
|
}
|
|
symbol "FORGED_SENDER_MAILLIST" {
|
|
weight = 0.0;
|
|
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
|
|
}
|
|
symbol "RATWARE_MS_HASH" {
|
|
weight = 2.0;
|
|
description = "Forged Exchange messages";
|
|
}
|
|
symbol "STOX_REPLY_TYPE" {
|
|
weight = 1.0;
|
|
description = "Reply-type in content-type";
|
|
}
|
|
symbol "ONCE_RECEIVED" {
|
|
weight = 0.1;
|
|
description = "One received header in a message";
|
|
}
|
|
symbol "RDNS_NONE" {
|
|
weight = 1.0;
|
|
description = "Cannot resolve reverse DNS for sender's IP";
|
|
}
|
|
symbol "ONCE_RECEIVED_STRICT" {
|
|
weight = 4.0;
|
|
description = "One received header with 'bad' patterns inside";
|
|
}
|
|
symbol "MIME_HEADER_CTYPE_ONLY" {
|
|
weight = 2.0;
|
|
description = "Only Content-Type header without other MIME headers";
|
|
}
|
|
symbol "MAILLIST" {
|
|
weight = -0.2;
|
|
description = "Message seems to be from maillist";
|
|
}
|
|
symbol "HEADER_FROM_DELIMITER_TAB" {
|
|
weight = 1.0;
|
|
description = "Header From begins with tab";
|
|
}
|
|
symbol "HEADER_TO_DELIMITER_TAB" {
|
|
weight = 1.0;
|
|
description = "Header To begins with tab";
|
|
}
|
|
symbol "HEADER_CC_DELIMITER_TAB" {
|
|
weight = 1.0;
|
|
description = "Header Cc begins with tab";
|
|
}
|
|
symbol "HEADER_REPLYTO_DELIMITER_TAB" {
|
|
weight = 1.0;
|
|
description = "Header Reply-To begins with tab";
|
|
}
|
|
symbol "HEADER_DATE_DELIMITER_TAB" {
|
|
weight = 1.0;
|
|
description = "Header Date begins with tab";
|
|
}
|
|
symbol "HEADER_FROM_EMPTY_DELIMITER" {
|
|
weight = 1.0;
|
|
description = "Header From has no delimiter between header name and header value";
|
|
}
|
|
symbol "HEADER_TO_EMPTY_DELIMITER" {
|
|
weight = 1.0;
|
|
description = "Header To has no delimiter between header name and header value";
|
|
}
|
|
symbol "HEADER_CC_EMPTY_DELIMITER" {
|
|
weight = 1.0;
|
|
description = "Header Cc has no delimiter between header name and header value";
|
|
}
|
|
symbol "HEADER_REPLYTO_EMPTY_DELIMITER" {
|
|
weight = 1.0;
|
|
description = "Header Reply-To has no delimiter between header name and header value";
|
|
}
|
|
symbol "HEADER_DATE_EMPTY_DELIMITER" {
|
|
weight = 1.0;
|
|
description = "Header Date has no delimiter between header name and header value";
|
|
}
|
|
symbol "RCVD_ILLEGAL_CHARS" {
|
|
weight = 4.0;
|
|
description = "Header Received has raw illegal character";
|
|
}
|
|
symbol "FAKE_RECEIVED_mail_ru" {
|
|
weight = 4.0;
|
|
description = "Fake helo mail.ru in header Received from non mail.ru sender address";
|
|
}
|
|
symbol "FAKE_RECEIVED_smtp_yandex_ru" {
|
|
weight = 4.0;
|
|
description = "Fake smtp.yandex.ru Received";
|
|
}
|
|
symbol "FORGED_GENERIC_RECEIVED" {
|
|
weight = 3.6;
|
|
description = "Forged generic Received";
|
|
}
|
|
symbol "FORGED_GENERIC_RECEIVED2" {
|
|
weight = 3.6;
|
|
description = "Forged generic Received";
|
|
}
|
|
symbol "FORGED_GENERIC_RECEIVED3" {
|
|
weight = 3.6;
|
|
description = "Forged generic Received";
|
|
}
|
|
symbol "FORGED_GENERIC_RECEIVED4" {
|
|
weight = 3.6;
|
|
description = "Forged generic Received";
|
|
}
|
|
symbol "FORGED_GENERIC_RECEIVED5" {
|
|
weight = 4.6;
|
|
description = "Forged generic Received";
|
|
}
|
|
symbol "INVALID_POSTFIX_RECEIVED" {
|
|
weight = 3.0;
|
|
description = "Invalid Postfix Received";
|
|
}
|
|
}
|
|
|
|
group "subject" {
|
|
max_score = 6.0;
|
|
|
|
symbol "FAKE_REPLY_C" {
|
|
weight = 6.0;
|
|
description = "Fake reply (has RE in subject, but has not References header)";
|
|
}
|
|
symbol "LONG_SUBJ" {
|
|
weight = 6.0;
|
|
description = "Subject is too long";
|
|
}
|
|
symbol "SUBJ_ALL_CAPS" {
|
|
weight = 3.0;
|
|
description = "No lower case letters in subject";
|
|
}
|
|
}
|
|
|
|
group "mua" {
|
|
symbol "FORGED_MUA_THEBAT_MSGID" {
|
|
weight = 4.0;
|
|
description = "Message pretends to be send from The Bat! but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_THEBAT_MSGID_UNKNOWN" {
|
|
weight = 3.0;
|
|
description = "Message pretends to be send from The Bat! but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_KMAIL_MSGID" {
|
|
weight = 3.0;
|
|
description = "Message pretends to be send from KMail but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_KMAIL_MSGID_UNKNOWN" {
|
|
weight = 2.5;
|
|
description = "Message pretends to be send from KMail but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_OPERA_MSGID" {
|
|
weight = 4.0;
|
|
description = "Message pretends to be send from Opera Mail but has forged Message-ID";
|
|
}
|
|
symbol "SUSPICIOUS_OPERA_10W_MSGID" {
|
|
weight = 4.0;
|
|
description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
|
|
}
|
|
symbol "FORGED_MUA_MOZILLA_MAIL_MSGID" {
|
|
weight = 4.0;
|
|
description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN" {
|
|
weight = 2.5;
|
|
description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_THUNDERBIRD_MSGID" {
|
|
weight = 4.0;
|
|
description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN" {
|
|
weight = 2.5;
|
|
description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_SEAMONKEY_MSGID" {
|
|
weight = 4.0;
|
|
description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN" {
|
|
weight = 2.5;
|
|
description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
|
|
}
|
|
symbol "FORGED_MUA_OUTLOOK" {
|
|
weight = 3.0;
|
|
description = "Forged outlook MUA";
|
|
}
|
|
symbol "FORGED_MUA_MAILLIST" {
|
|
weight = 0.0;
|
|
description = "Avoid false positives for FORGED_MUA_* in maillist";
|
|
}
|
|
}
|
|
|
|
group "body" {
|
|
symbol "R_WHITE_ON_WHITE" {
|
|
weight = 9.0;
|
|
description = "White color on white background in HTML messages";
|
|
}
|
|
symbol "HTML_SHORT_LINK_IMG_1" {
|
|
weight = 3.0;
|
|
description = "Short html part with a link to an image";
|
|
}
|
|
symbol "HTML_SHORT_LINK_IMG_2" {
|
|
weight = 1.0;
|
|
description = "Short html part with a link to an image";
|
|
}
|
|
symbol "HTML_SHORT_LINK_IMG_3" {
|
|
weight = 0.5;
|
|
description = "Short html part with a link to an image";
|
|
}
|
|
symbol "SUSPICIOUS_BOUNDARY" {
|
|
weight = 5.0;
|
|
description = "Suspicious boundary in header Content-Type";
|
|
}
|
|
symbol "SUSPICIOUS_BOUNDARY2" {
|
|
weight = 4.0;
|
|
description = "Suspicious boundary in header Content-Type";
|
|
}
|
|
symbol "SUSPICIOUS_BOUNDARY3" {
|
|
weight = 3.0;
|
|
description = "Suspicious boundary in header Content-Type";
|
|
}
|
|
symbol "SUSPICIOUS_BOUNDARY4" {
|
|
weight = 4.0;
|
|
description = "Suspicious boundary in header Content-Type";
|
|
}
|
|
symbol "R_PARTS_DIFFER" {
|
|
weight = 1.0;
|
|
description = "Text and HTML parts differ";
|
|
}
|
|
|
|
symbol "R_EMPTY_IMAGE" {
|
|
weight = 2.0;
|
|
description = "Message contains empty parts and image";
|
|
}
|
|
symbol "DRUGS_MANYKINDS" {
|
|
weight = 2.0;
|
|
description = "Drugs patterns inside message";
|
|
}
|
|
symbol "DRUGS_ANXIETY" {
|
|
weight = 2.0;
|
|
description = "";
|
|
}
|
|
symbol "DRUGS_MUSCLE" {
|
|
weight = 2.0;
|
|
description = "";
|
|
}
|
|
symbol "DRUGS_ANXIETY_EREC" {
|
|
weight = 2.0;
|
|
description = "";
|
|
}
|
|
symbol "DRUGS_DIET" {
|
|
weight = 2.0;
|
|
description = "";
|
|
}
|
|
symbol "DRUGS_ERECTILE" {
|
|
weight = 2.0;
|
|
description = "";
|
|
}
|
|
symbol "ADVANCE_FEE_2" {
|
|
weight = 3.300000;
|
|
description = "2 'advance fee' patterns in a message";
|
|
}
|
|
symbol "ADVANCE_FEE_3" {
|
|
weight = 2.120000;
|
|
description = "3 'advance fee' patterns in a message";
|
|
}
|
|
symbol "R_LOTTO" {
|
|
weight = 8.0;
|
|
description = "Lotto signatures";
|
|
}
|
|
}
|
|
|
|
group "rbl" {
|
|
symbol "DNSWL_BLOCKED" {
|
|
weight = 0.0;
|
|
description = "Resolver blocked due to excessive queries";
|
|
}
|
|
symbol "RCVD_IN_DNSWL" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from dnswl.org";
|
|
}
|
|
symbol "RCVD_IN_DNSWL_NONE" {
|
|
weight = 0.0;
|
|
description = "Sender listed at http://www.dnswl.org, low none";
|
|
}
|
|
symbol "RCVD_IN_DNSWL_LOW" {
|
|
weight = 0.0;
|
|
description = "Sender listed at http://www.dnswl.org, low trust";
|
|
}
|
|
symbol "RCVD_IN_DNSWL_MED" {
|
|
weight = 0.0;
|
|
description = "Sender listed at http://www.dnswl.org, medium trust";
|
|
}
|
|
symbol "RCVD_IN_DNSWL_HI" {
|
|
weight = 0.0;
|
|
description = "Sender listed at http://www.dnswl.org, high trust";
|
|
}
|
|
|
|
symbol "RBL_SPAMHAUS" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from Spamhaus zen";
|
|
}
|
|
symbol "RBL_SPAMHAUS_SBL" {
|
|
weight = 2.0;
|
|
description = "From address is listed in zen sbl";
|
|
}
|
|
symbol "RBL_SPAMHAUS_CSS" {
|
|
weight = 2.0;
|
|
description = "From address is listed in zen css";
|
|
}
|
|
symbol "RBL_SPAMHAUS_XBL" {
|
|
weight = 4.0;
|
|
description = "From address is listed in zen xbl";
|
|
}
|
|
symbol "RBL_SPAMHAUS_XBL1" {
|
|
weight = 4.0;
|
|
description = "From address is listed in zen xbl (obsoleted/reserved)";
|
|
}
|
|
symbol "RBL_SPAMHAUS_XBL2" {
|
|
weight = 4.0;
|
|
description = "From address is listed in zen xbl (obsoleted/reserved)";
|
|
}
|
|
symbol "RBL_SPAMHAUS_XBL3" {
|
|
weight = 4.0;
|
|
description = "From address is listed in zen xbl (reserved)";
|
|
}
|
|
symbol "RBL_SPAMHAUS_XBL_ANY" {
|
|
weight = 4.0;
|
|
description = "From or receive address is listed in zen xbl (any list)";
|
|
}
|
|
symbol "RBL_SPAMHAUS_PBL" {
|
|
weight = 2.0;
|
|
description = "From address is listed in zen pbl (ISP list)";
|
|
}
|
|
symbol "RBL_SPAMHAUS_PBL1" {
|
|
weight = 2.0;
|
|
description = "From address is listed in zen pbl (Spamhaus list)";
|
|
}
|
|
symbol "RECEIVED_SPAMHAUS_XBL" {
|
|
weight = 3.0;
|
|
description = "Received address is listed in zen xbl";
|
|
one_shot = true;
|
|
}
|
|
|
|
symbol "RWL_SPAMHAUS_WL" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from Spamhaus whitelist";
|
|
}
|
|
symbol "RWL_SPAMHAUS_WL_IND" {
|
|
weight = 0.0;
|
|
description = "Sender listed at Spamhaus whitelist";
|
|
}
|
|
symbol "RWL_SPAMHAUS_WL_TRANS" {
|
|
weight = 0.0;
|
|
description = "Sender listed at Spamhaus whitelist";
|
|
}
|
|
symbol "RWL_SPAMHAUS_WL_IND_EXP" {
|
|
weight = 0.0;
|
|
description = "Sender listed at Spamhaus whitelist";
|
|
}
|
|
symbol "RWL_SPAMHAUS_WL_TRANS_EXP" {
|
|
weight = 0.0;
|
|
description = "Sender listed at Spamhaus whitelist";
|
|
}
|
|
symbol "RBL_SENDERSCORE" {
|
|
weight = 2.0;
|
|
description = "From address is listed in senderscore.com BL";
|
|
}
|
|
symbol "RBL_ABUSECH" {
|
|
weight = 1.0;
|
|
description = "From address is listed in ABUSE.CH BL";
|
|
}
|
|
symbol "RBL_UCEPROTECT_LEVEL1" {
|
|
weight = 1.0;
|
|
description = "From address is listed in UCEPROTECT LEVEL1 BL";
|
|
}
|
|
symbol "RBL_MAILSPIKE" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from Mailspike blacklist";
|
|
}
|
|
symbol "RWL_MAILSPIKE" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from Mailspike whitelist";
|
|
}
|
|
symbol "RBL_MAILSPIKE_ZOMBIE" {
|
|
weight = 2.0;
|
|
description = "From address is listed in RBL";
|
|
}
|
|
symbol "RBL_MAILSPIKE_WORST" {
|
|
weight = 2.0;
|
|
description = "From address is listed in RBL";
|
|
}
|
|
symbol "RBL_MAILSPIKE_VERYBAD" {
|
|
weight = 1.5;
|
|
description = "From address is listed in RBL";
|
|
}
|
|
symbol "RBL_MAILSPIKE_BAD" {
|
|
weight = 1.0;
|
|
description = "From address is listed in RBL";
|
|
}
|
|
symbol "RWL_MAILSPIKE_POSSIBLE" {
|
|
weight = 0.0;
|
|
description = "From address is listed in RWL";
|
|
}
|
|
symbol "RWL_MAILSPIKE_GOOD" {
|
|
weight = 0.0;
|
|
description = "From address is listed in RWL";
|
|
}
|
|
symbol "RWL_MAILSPIKE_VERYGOOD" {
|
|
weight = 0.0;
|
|
description = "From address is listed in RWL";
|
|
}
|
|
symbol "RWL_MAILSPIKE_EXCELLENT" {
|
|
weight = 0.0;
|
|
description = "From address is listed in RWL";
|
|
}
|
|
|
|
symbol "RBL_SORBS" {
|
|
weight = 0.0;
|
|
description = "Unrecognised result from SORBS RBL";
|
|
}
|
|
symbol "RBL_SORBS_HTTP" {
|
|
weight = 2.5;
|
|
description = "List of Open HTTP Proxy Servers.";
|
|
}
|
|
symbol "RBL_SORBS_SOCKS" {
|
|
weight = 2.5;
|
|
description = "List of Open SOCKS Proxy Servers.";
|
|
}
|
|
symbol "RBL_SORBS_MISC" {
|
|
weight = 1.0;
|
|
description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";
|
|
}
|
|
symbol "RBL_SORBS_SMTP" {
|
|
weight = 3.0;
|
|
description = "List of Open SMTP relay servers.";
|
|
}
|
|
symbol "RBL_SORBS_RECENT" {
|
|
weight = 1.5;
|
|
description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";
|
|
}
|
|
symbol "RBL_SORBS_WEB" {
|
|
weight = 0.4;
|
|
description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";
|
|
}
|
|
symbol "RBL_SORBS_DUL" {
|
|
weight = 2.0;
|
|
description = "Dynamic IP Address ranges (NOT a Dial Up list!)";
|
|
}
|
|
symbol "RBL_SORBS_BLOCK" {
|
|
weight = 1.0;
|
|
description = "List of hosts demanding that they never be tested by SORBS.";
|
|
}
|
|
symbol "RBL_SORBS_ZOMBIE" {
|
|
weight = 1.0;
|
|
description = "List of networks hijacked from their original owners, some of which have already used for spamming.";
|
|
}
|
|
|
|
symbol "RBL_SEM" {
|
|
weight = 1.0;
|
|
description = "Address is listed in Spameatingmonkey RBL";
|
|
}
|
|
|
|
symbol "RBL_SEM_IPV6" {
|
|
weight = 1.0;
|
|
description = "Address is listed in Spameatingmonkey RBL (ipv6)";
|
|
}
|
|
}
|
|
|
|
group "bayes" {
|
|
|
|
symbol "BAYES_SPAM" {
|
|
weight = 4.0;
|
|
description = "Message probably spam, probability: ";
|
|
}
|
|
symbol "BAYES_HAM" {
|
|
weight = -3.0;
|
|
description = "Message probably ham, probability: ";
|
|
}
|
|
}
|
|
|
|
group "fuzzy" {
|
|
symbol "FUZZY_UNKNOWN" {
|
|
weight = 5.0;
|
|
description = "Generic fuzzy hash match";
|
|
}
|
|
symbol "FUZZY_DENIED" {
|
|
weight = 12.0;
|
|
description = "Denied fuzzy hash";
|
|
}
|
|
symbol "FUZZY_PROB" {
|
|
weight = 5.0;
|
|
description = "Probable fuzzy hash";
|
|
}
|
|
symbol "FUZZY_WHITE" {
|
|
weight = -2.1;
|
|
description = "Whitelisted fuzzy hash";
|
|
}
|
|
}
|
|
|
|
group "spf" {
|
|
symbol "R_SPF_FAIL" {
|
|
weight = 1.0;
|
|
description = "SPF verification failed";
|
|
}
|
|
symbol "R_SPF_SOFTFAIL" {
|
|
weight = 0.0;
|
|
description = "SPF verification soft-failed";
|
|
}
|
|
symbol "R_SPF_NEUTRAL" {
|
|
weight = 0.0;
|
|
description = "SPF policy is neutral";
|
|
}
|
|
symbol "R_SPF_ALLOW" {
|
|
weight = -1.5;
|
|
description = "SPF verification alowed";
|
|
}
|
|
}
|
|
|
|
group "dkim" {
|
|
symbol "R_DKIM_REJECT" {
|
|
weight = 1.0;
|
|
description = "DKIM verification failed";
|
|
}
|
|
symbol "R_DKIM_TEMPFAIL" {
|
|
weight = 0.0;
|
|
description = "DKIM verification soft-failed";
|
|
}
|
|
symbol "R_DKIM_ALLOW" {
|
|
weight = -1.1;
|
|
description = "DKIM verification succeed";
|
|
one_shot = true;
|
|
}
|
|
}
|
|
|
|
group "surbl" {
|
|
symbol "SURBL_BLOCKED" {
|
|
weight = 0.0;
|
|
description = "SURBL: blocked by policy/overusage";
|
|
}
|
|
symbol "PH_SURBL_MULTI" {
|
|
weight = 5.5;
|
|
description = "SURBL: Phishing sites";
|
|
}
|
|
symbol "MW_SURBL_MULTI" {
|
|
weight = 5.5;
|
|
description = "SURBL: Malware sites";
|
|
}
|
|
symbol "ABUSE_SURBL" {
|
|
weight = 5.5;
|
|
description = "SURBL: ABUSE";
|
|
}
|
|
symbol "CRACKED_SURBL" {
|
|
weight = 4.0;
|
|
description = "SURBL: cracked site";
|
|
}
|
|
symbol "WS_SURBL_MULTI" {
|
|
weight = 5.5;
|
|
description = "SURBL: sa-blacklist web sites ";
|
|
}
|
|
symbol "RAMBLER_URIBL" {
|
|
weight = 4.5;
|
|
description = "rambler.ru uribl";
|
|
}
|
|
|
|
symbol "SEM_URIBL_UNKNOWN" {
|
|
weight = 0.0;
|
|
description = "Spameatingmonkey uribl: unknown result";
|
|
}
|
|
symbol "SEM_URIBL" {
|
|
weight = 3.5;
|
|
description = "Spameatingmonkey uribl";
|
|
}
|
|
|
|
symbol "SEM_URIBL_FRESH15_UNKNOWN" {
|
|
weight = 0.0;
|
|
description = "Spameatingmonkey Fresh15 uribl: unknown result";
|
|
}
|
|
symbol "SEM_URIBL_FRESH15" {
|
|
weight = 3.0;
|
|
description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
|
|
}
|
|
|
|
symbol "DBL" {
|
|
weight = 0.0;
|
|
description = "DBL unknown result";
|
|
}
|
|
symbol "DBL_SPAM" {
|
|
weight = 6.5;
|
|
description = "DBL uribl spam";
|
|
}
|
|
symbol "DBL_PHISH" {
|
|
weight = 6.5;
|
|
description = "DBL uribl phishing";
|
|
}
|
|
symbol "DBL_MALWARE" {
|
|
weight = 6.5;
|
|
description = "DBL uribl malware";
|
|
}
|
|
symbol "DBL_BOTNET" {
|
|
weight = 5.5;
|
|
description = "DBL uribl botnet C&C domain";
|
|
}
|
|
symbol "DBL_ABUSE" {
|
|
weight = 6.5;
|
|
description = "DBL uribl abused legit spam";
|
|
}
|
|
symbol "DBL_ABUSE_REDIR" {
|
|
weight = 1.5;
|
|
description = "DBL uribl abused spammed redirector domain";
|
|
}
|
|
symbol "DBL_ABUSE_PHISH" {
|
|
weight = 7.5;
|
|
description = "DBL uribl abused legit phish";
|
|
}
|
|
symbol "DBL_ABUSE_MALWARE" {
|
|
weight = 7.5;
|
|
description = "DBL uribl abused legit malware";
|
|
}
|
|
symbol "DBL_ABUSE_BOTNET" {
|
|
weight = 5.5;
|
|
description = "DBL uribl abused legit botnet C&C";
|
|
}
|
|
symbol "DBL_PROHIBIT" {
|
|
weight = 0.00000;
|
|
description = "DBL uribl IP queries prohibited!";
|
|
}
|
|
symbol "URIBL_MULTI" {
|
|
weight = 0.0;
|
|
description = "uribl.com: unrecognised result";
|
|
}
|
|
symbol "URIBL_BLOCKED" {
|
|
weight = 0.0;
|
|
description = "uribl.com: query refused";
|
|
}
|
|
symbol "URIBL_BLACK" {
|
|
weight = 7.5;
|
|
description = "uribl.com black url";
|
|
}
|
|
symbol "URIBL_RED" {
|
|
weight = 3.5;
|
|
description = "uribl.com red url";
|
|
}
|
|
symbol "URIBL_GREY" {
|
|
weight = 1.5;
|
|
description = "uribl.com grey url";
|
|
}
|
|
symbol "RAMBLER_EMAILBL" {
|
|
weight = 9.5;
|
|
description = "rambler.ru emailbl";
|
|
}
|
|
|
|
symbol "SBL_URIBL" {
|
|
weight = 0.0;
|
|
description = "SBL URIBL: Filtered result";
|
|
}
|
|
symbol "URIBL_SBL" {
|
|
weight = 6.5;
|
|
description = "Spamhaus SBL URIBL";
|
|
}
|
|
symbol "URIBL_SBL_CSS" {
|
|
weight = 6.5;
|
|
description = "Spamhaus SBL CSS URIBL";
|
|
}
|
|
}
|
|
|
|
group "phishing" {
|
|
symbol "PHISHING" {
|
|
weight = 4.0;
|
|
description = "Phished URL";
|
|
one_shot = true;
|
|
}
|
|
symbol "PHISHED_OPENPHISH" {
|
|
weight = 7.0;
|
|
description = "Phished URL found in openphish.com";
|
|
}
|
|
}
|
|
|
|
group "date" {
|
|
|
|
symbol "DATE_IN_FUTURE" {
|
|
weight = 4.0;
|
|
description = "Message date is in future";
|
|
}
|
|
symbol "DATE_IN_PAST" {
|
|
weight = 1.0;
|
|
description = "Message date is in past";
|
|
}
|
|
symbol "MISSING_DATE" {
|
|
weight = 1.0;
|
|
description = "Message date is missing";
|
|
}
|
|
}
|
|
|
|
group "hfilter" {
|
|
symbol "HFILTER_HELO_BAREIP" {
|
|
weight = 3.00;
|
|
description = "Helo host is bare ip";
|
|
}
|
|
symbol "HFILTER_HELO_BADIP" {
|
|
weight = 4.50;
|
|
description = "Helo host is very bad ip";
|
|
}
|
|
symbol "HFILTER_HELO_UNKNOWN" {
|
|
weight = 2.00;
|
|
description = "Helo host empty or unknown";
|
|
}
|
|
symbol "HFILTER_HELO_1" {
|
|
weight = 0.5;
|
|
description = "Helo host checks (very low)";
|
|
}
|
|
symbol "HFILTER_HELO_2" {
|
|
weight = 1.00;
|
|
description = "Helo host checks (low)";
|
|
}
|
|
symbol "HFILTER_HELO_3" {
|
|
weight = 2.00;
|
|
description = "Helo host checks (medium)";
|
|
}
|
|
symbol "HFILTER_HELO_4" {
|
|
weight = 2.50;
|
|
description = "Helo host checks (hard)";
|
|
}
|
|
symbol "HFILTER_HELO_5" {
|
|
weight = 3.00;
|
|
description = "Helo host checks (very hard)";
|
|
}
|
|
symbol "HFILTER_HOSTNAME_1" {
|
|
weight = 0.5;
|
|
description = "Hostname checks (very low)";
|
|
}
|
|
symbol "HFILTER_HOSTNAME_2" {
|
|
weight = 1.00;
|
|
description = "Hostname checks (low)";
|
|
}
|
|
symbol "HFILTER_HOSTNAME_3" {
|
|
weight = 2.00;
|
|
description = "Hostname checks (medium)";
|
|
}
|
|
symbol "HFILTER_HOSTNAME_4" {
|
|
weight = 2.50;
|
|
description = "Hostname checks (hard)";
|
|
}
|
|
symbol "HFILTER_HOSTNAME_5" {
|
|
weight = 3.00;
|
|
description = "Hostname checks (very hard)";
|
|
}
|
|
symbol "HFILTER_HELO_NORESOLVE_MX" {
|
|
weight = 0.20;
|
|
description = "MX found in Helo and no resolve";
|
|
}
|
|
symbol "HFILTER_HELO_NORES_A_OR_MX" {
|
|
weight = 0.3;
|
|
description = "Helo no resolve to A or MX";
|
|
}
|
|
symbol "HFILTER_HELO_IP_A" {
|
|
weight = 1.00;
|
|
description = "Helo A IP != hostname IP";
|
|
}
|
|
symbol "HFILTER_HELO_NOT_FQDN" {
|
|
weight = 2.00;
|
|
description = "Helo not FQDN";
|
|
}
|
|
symbol "HFILTER_FROMHOST_NORESOLVE_MX" {
|
|
weight = 0.5;
|
|
description = "MX found in FROM host and no resolve";
|
|
}
|
|
symbol "HFILTER_FROMHOST_NORES_A_OR_MX" {
|
|
weight = 1.50;
|
|
description = "FROM host no resolve to A or MX";
|
|
}
|
|
symbol "HFILTER_FROMHOST_NOT_FQDN" {
|
|
weight = 3.00;
|
|
description = "FROM host not FQDN";
|
|
}
|
|
symbol "HFILTER_FROM_BOUNCE" {
|
|
weight = 0.00;
|
|
description = "Bounce message";
|
|
}
|
|
/*
|
|
symbol {
|
|
weight = 0.50;
|
|
name = "HFILTER_MID_NORESOLVE_MX";
|
|
description = "MX found in Message-id host and no resolve";
|
|
}
|
|
symbol {
|
|
weight = 0.50;
|
|
name = "HFILTER_MID_NORES_A_OR_MX";
|
|
description = "Message-id host no resolve to A or MX";
|
|
}
|
|
symbol {
|
|
weight = 0.50;
|
|
name = "HFILTER_MID_NOT_FQDN";
|
|
description = "Message-id host not FQDN";
|
|
}
|
|
*/
|
|
symbol "HFILTER_HOSTNAME_UNKNOWN" {
|
|
weight = 2.50;
|
|
description = "Unknown hostname (no PTR or no resolve PTR to hostname)";
|
|
}
|
|
symbol "HFILTER_RCPT_BOUNCEMOREONE" {
|
|
weight = 1.50;
|
|
description = "Message from bounce and over 1 recepient";
|
|
}
|
|
symbol "HFILTER_URL_ONLY" {
|
|
weight = 1.50;
|
|
description = "URL only in body";
|
|
}
|
|
symbol "HFILTER_URL_ONELINE" {
|
|
weight = 2.20;
|
|
description = "One line URL and text in body";
|
|
}
|
|
}
|
|
|
|
group "dmarc" {
|
|
|
|
symbol "DMARC_POLICY_ALLOW" {
|
|
weight = -1.0;
|
|
description = "DMARC permit policy";
|
|
}
|
|
symbol "DMARC_POLICY_REJECT" {
|
|
weight = 2.0;
|
|
description = "DMARC reject policy";
|
|
}
|
|
symbol "DMARC_POLICY_QUARANTINE" {
|
|
weight = 1.5;
|
|
description = "DMARC quarantine policy";
|
|
}
|
|
symbol "DMARC_POLICY_SOFTFAIL" {
|
|
weight = 0.1;
|
|
description = "DMARC failed";
|
|
}
|
|
}
|
|
group "mime_types" {
|
|
symbol "MIME_GOOD" {
|
|
weight = -0.1;
|
|
description = "Known content-type";
|
|
one_shot = true;
|
|
}
|
|
symbol "MIME_BAD" {
|
|
weight = 1.0;
|
|
description = "Known bad content-type";
|
|
one_shot = true;
|
|
}
|
|
symbol "MIME_UNKNOWN" {
|
|
weight = 0.1;
|
|
description = "Missing or unknown content-type";
|
|
one_shot = true;
|
|
}
|
|
symbol "MIME_BAD_ATTACHMENT" {
|
|
weight = 4.0;
|
|
description = "Invalid attachement mime type";
|
|
one_shot = true;
|
|
}
|
|
}
|
|
group "url" {
|
|
symbol "R_SUSPICIOUS_URL" {
|
|
weight = 6.0;
|
|
description = "Obfusicated or suspicious URL has been found in a message";
|
|
one_shot = true;
|
|
}
|
|
}
|
|
|
|
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf"
|
|
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf"
|
|
}
|