mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
Browse Source

Add basics of the new configuration.

tags/0.6.0
Vsevolod Stakhov 10 years ago
parent
3a790729df
commit
ac675792e2
8 changed files with 826 additions and 0 deletions
Split View Show Diff Stats
  1. 10
    0
      conf/composites.conf
  2. 7
    0
      conf/logging.conf
  3. 593
    0
      conf/metrics.conf
  4. 146
    0
      conf/modules.conf
  5. 14
    0
      conf/options.conf
  6. 17
    0
      conf/rspamd.conf
  7. 19
    0
      conf/statistic.conf
  8. 20
    0
      conf/workers.conf

+ 10
- 0
conf/composites.conf View File

@@ -0,0 +1,10 @@
# Composites setup

composite {
name = "FORGED_RECIPIENTS_MAILLIST";
expression = "FORGED_RECIPIENTS & -MAILLIST";
}
composite {
name = "FORGED_MUA_OUTLOOK_MAILLIST";
expression = "FORGED_MUA_OUTLOOK and MAILLIST";
}

+ 7
- 0
conf/logging.conf View File

@@ -0,0 +1,7 @@
# Logging setup

logging {
level = "info";
type = "file";
filename = "$LOGDIR/rspamd.log";
}

+ 593
- 0
conf/metrics.conf View File

@@ -0,0 +1,593 @@
# Metrics settings

metric {
name = "default";
action = "reject:10";
action = "greylist:4";
action = "add_header:6";
symbol {
weight = 2.0;
description = "Subject is missing inside message";
name = "MISSING_SUBJECT";
}
symbol {
weight = 2.100000;
description = "Message pretends to be send from Outlook but has 'strange' tags ";
name = "FORGED_OUTLOOK_TAGS";
}
symbol {
weight = 5.0;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
name = "FORGED_SENDER";
}
symbol {
weight = 3.500000;
description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
name = "SUSPICIOUS_RECIPS";
}
symbol {
weight = 6.0;
description = "Fake reply (has RE in subject, but has not References header)";
name = "FAKE_REPLY_C";
}
symbol {
weight = 1.0;
description = "Messages that have only HTML part";
name = "MIME_HTML_ONLY";
}
symbol {
weight = 2.0;
description = "Forged yahoo msgid";
name = "FORGED_MSGID_YAHOO";
}
symbol {
weight = 2.0;
description = "Forged The Bat! MUA headers";
name = "FORGED_MUA_THEBAT_BOUN";
}
symbol {
weight = 5.0;
description = "Charset is missing in a message";
name = "R_MISSING_CHARSET";
}
symbol {
weight = 2.0;
description = "Two received headers with ip addresses";
name = "RCVD_DOUBLE_IP_SPAM";
}
symbol {
weight = 5.0;
description = "Forged outlook HTML signature";
name = "FORGED_OUTLOOK_HTML";
}
symbol {
weight = 5.0;
description = "Recipients are absent or undisclosed";
name = "R_UNDISC_RCPT";
}
symbol {
weight = 9.0;
description = "White color on white background in HTML messages";
name = "R_WHITE_ON_WHITE";
}
symbol {
weight = 3.0;
description = "Short html part with a link to an image";
name = "HTML_SHORT_LINK_IMG_2";
}
symbol {
weight = 3.0;
description = "Forged outlook MUA";
name = "FORGED_MUA_OUTLOOK";
}
symbol {
weight = 0.0;
description = "Forged outlook MUA, but from maillist";
name = "FORGED_MUA_OUTLOOK_MAILLIST";
}
symbol {
weight = 5.0;
description = "Suspicious boundary in header Content-Type";
name = "SUSPICIOUS_BOUNDARY";
}
symbol {
weight = 4.0;
description = "Suspicious boundary in header Content-Type";
name = "SUSPICIOUS_BOUNDARY2";
}
symbol {
weight = 3.0;
description = "Suspicious boundary in header Content-Type";
name = "SUSPICIOUS_BOUNDARY3";
}
symbol {
weight = 4.0;
description = "Suspicious boundary in header Content-Type";
name = "SUSPICIOUS_BOUNDARY4";
}
symbol {
weight = 4.0;
description = "Message pretends to be send from The Bat! but has forged Message-ID";
name = "FORGED_MUA_THEBAT_MSGID";
}
symbol {
weight = 3.0;
description = "Message pretends to be send from The Bat! but has forged Message-ID";
name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";
}
symbol {
weight = 3.0;
description = "Message pretends to be send from KMail but has forged Message-ID";
name = "FORGED_MUA_KMAIL_MSGID";
}
symbol {
weight = 2.500000;
description = "Message pretends to be send from KMail but has forged Message-ID";
name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";
}
symbol {
weight = 4.0;
description = "Message pretends to be send from Opera Mail but has forged Message-ID";
name = "FORGED_MUA_OPERA_MSGID";
}
symbol {
weight = 4.0;
description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
name = "SUSPICIOUS_OPERA_10W_MSGID";
}
symbol {
weight = 4.0;
description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
name = "FORGED_MUA_MOZILLA_MAIL_MSGID";
}
symbol {
weight = 2.500000;
description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";
}
symbol {
weight = 4.0;
description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
name = "FORGED_MUA_THUNDERBIRD_MSGID";
}
symbol {
weight = 2.500000;
description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";
}
symbol {
weight = 4.0;
description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
name = "FORGED_MUA_SEAMONKEY_MSGID";
}
symbol {
weight = 2.500000;
description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";
}
symbol {
weight = 2.0;
description = "Fake helo for verizon provider";
name = "FM_FAKE_HELO_VERIZON";
}
symbol {
weight = 2.0;
description = "Quoted reply-to from yahoo (seems to be forged)";
name = "REPTO_QUOTE_YAHOO";
}
symbol {
weight = 5.0;
description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
name = "MISSING_MIMEOLE";
}
symbol {
weight = 2.0;
description = "To header is missing";
name = "MISSING_TO";
}
symbol {
weight = 1.500000;
description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
name = "FROM_EXCESS_BASE64";
}
symbol {
weight = 1.200000;
description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
name = "FROM_EXCESS_QP";
}
symbol {
weight = 1.500000;
description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
name = "TO_EXCESS_BASE64";
}
symbol {
weight = 1.200000;
description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
name = "TO_EXCESS_QP";
}
symbol {
weight = 1.500000;
description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
name = "REPLYTO_EXCESS_BASE64";
}
symbol {
weight = 1.200000;
description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
name = "REPLYTO_EXCESS_QP";
}
symbol {
weight = 1.500000;
description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
name = "CC_EXCESS_BASE64";
}
symbol {
weight = 1.200000;
description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
name = "CC_EXCESS_QP";
}
symbol {
weight = 5.0;
description = "Mixed characters in a message";
name = "R_MIXED_CHARSET";
}
symbol {
weight = 3.500000;
description = "Recipients list seems to be sorted";
name = "SORTED_RECIPS";
}
symbol {
weight = 3.0;
description = "Spambots signatures in received headers";
name = "R_RCVD_SPAMBOTS";
}
symbol {
weight = 2.0;
description = "To header seems to be autogenerated";
name = "R_TO_SEEMS_AUTO";
}
symbol {
weight = 1.0;
description = "Subject needs encoding";
name = "SUBJECT_NEEDS_ENCODING";
}
symbol {
weight = 3.840000;
description = "Spam string at the end of message to make statistics faults 0";
name = "TRACKER_ID";
}
symbol {
weight = 1.0;
description = "No space in from header";
name = "R_NO_SPACE_IN_FROM";
}
symbol {
weight = 8.0;
description = "Subject seems to be spam";
name = "R_SAJDING";
}
symbol {
weight = 3.0;
description = "Detects bad content-transfer-encoding for text parts";
name = "R_BAD_CTE_7BIT";
}
symbol {
weight = 10.0;
description = "Flash redirect on imageshack.us";
name = "R_FLASH_REDIR_IMGSHACK";
}
symbol {
weight = 5.0;
description = "Message id is incorrect";
name = "INVALID_MSGID";
}
symbol {
weight = 3.0;
description = "Message id is missing ";
name = "MISSING_MID";
}
symbol {
weight = 3.0;
description = "Recipients are not the same as RCPT TO: mail command";
name = "FORGED_RECIPIENTS";
}
symbol {
weight = 0.0;
description = "Recipients are not the same as RCPT TO: mail command, but from maillist";
name = "FORGED_RECIPIENTS_MAILLIST";
}
symbol {
weight = 2.0;
description = "Forged Exchange messages ";
name = "RATWARE_MS_HASH";
}
symbol {
weight = 1.0;
description = "Reply-type in content-type";
name = "STOX_REPLY_TYPE";
}
symbol {
weight = 3.0;
description = "IP in received headers is in PBL";
name = "R_IP_PBL";
}
symbol {
weight = 1.0;
description = "One received header in a message ";
name = "ONCE_RECEIVED";
}
symbol {
weight = 4.0;
description = "One received header with 'bad' patterns inside";
name = "ONCE_RECEIVED_STRICT";
}
symbol {
weight = 1.0;
description = "Received headers contains addresses from RBL";
name = "RECEIVED_RBL";
}
symbol {
weight = 3.0;
description = "Text and HTML parts differ";
name = "R_PARTS_DIFFER";
}
symbol {
weight = 2.0;
description = "Only Content-Type header without other MIME headers";
name = "MIME_HEADER_CTYPE_ONLY";
}
symbol {
weight = 2.0;
description = "Message contains empty parts and image ";
name = "R_EMPTY_IMAGE";
}
symbol {
weight = 2.0;
description = "Drugs patterns inside message";
name = "DRUGS_MANYKINDS";
}
symbol {
weight = 2.0;
description = "";
name = "DRUGS_ANXIETY";
}
symbol {
weight = 2.0;
description = "";
name = "DRUGS_MUSCLE";
}
symbol {
weight = 2.0;
description = "";
name = "DRUGS_ANXIETY_EREC";
}
symbol {
weight = 2.0;
description = "";
name = "DRUGS_DIET";
}
symbol {
weight = 2.0;
description = "";
name = "DRUGS_ERECTILE";
}
symbol {
weight = 3.300000;
description = "2 'advance fee' patterns in a message";
name = "ADVANCE_FEE_2";
}
symbol {
weight = 2.120000;
description = "3 'advance fee' patterns in a message";
name = "ADVANCE_FEE_3";
}
symbol {
weight = 8.0;
description = "Lotto signatures";
name = "R_LOTTO";
}
symbol {
weight = 3.0;
description = "Message probably spam, probability: ";
name = "BAYES_SPAM";
}
symbol {
weight = -3.0;
description = "Message probably ham, probability: ";
name = "BAYES_HAM";
}
symbol {
weight = 1.0;
description = "";
name = "R_FUZZY";
}
symbol {
weight = 1.0;
description = "";
name = "R_FUZZY1";
}
symbol {
weight = 1.0;
description = "";
name = "R_FUZZY2";
}
symbol {
weight = 1.0;
description = "";
name = "R_FUZZY3";
}
symbol {
weight = 3.0;
description = "SPF verification failed";
name = "R_SPF_FAIL";
}
symbol {
weight = 1.0;
description = "SPF verification soft-failed";
name = "R_SPF_SOFTFAIL";
}
symbol {
weight = -3.0;
description = "SPF verification alowed";
name = "R_SPF_ALLOW";
}
symbol {
weight = -2.0;
description = "Whitelisted client's IP";
name = "WHITELIST_IP";
}
symbol {
weight = -2.0;
description = "Message seems to be from maillist";
name = "MAILLIST";
}
symbol {
weight = 5.500000;
description = "Phishing and malware sites";
name = "PH_SURBL_MULTI";
}
symbol {
weight = 5.500000;
description = "Outblaze URI Blacklist";
name = "OB_SURBL_MULTI";
}
symbol {
weight = 5.500000;
description = "AbuseButler web sites";
name = "AB_SURBL_MULTI";
}
symbol {
weight = 5.500000;
description = "SpamCop web sites";
name = "SC_SURBL_MULTI";
}
symbol {
weight = 5.500000;
description = "jwSpamSpy + Prolocation sites";
name = "JP_SURBL_MULTI";
}
symbol {
weight = 5.500000;
description = "sa-blacklist web sites ";
name = "WS_SURBL_MULTI";
}
symbol {
weight = 9.500000;
description = "rambler.ru uribl";
name = "RAMBLER_URIBL";
}
symbol {
weight = 9.500000;
description = "rambler.ru emailbl";
name = "RAMBLER_EMAILBL";
}
symbol {
weight = 5.0;
description = "Phished mail";
name = "PHISHING";
}
symbol {
weight = 1.0;
description = "Header From begins with tab";
name = "HEADER_FROM_DELIMITER_TAB";
}
symbol {
weight = 1.0;
description = "Header To begins with tab";
name = "HEADER_TO_DELIMITER_TAB";
}
symbol {
weight = 1.0;
description = "Header Cc begins with tab";
name = "HEADER_CC_DELIMITER_TAB";
}
symbol {
weight = 1.0;
description = "Header Reply-To begins with tab";
name = "HEADER_REPLYTO_DELIMITER_TAB";
}
symbol {
weight = 1.0;
description = "Header Date begins with tab";
name = "HEADER_DATE_DELIMITER_TAB";
}
symbol {
weight = 1.0;
description = "Header From has no delimiter between header name and header value";
name = "HEADER_FROM_EMPTY_DELIMITER";
}
symbol {
weight = 1.0;
description = "Header To has no delimiter between header name and header value";
name = "HEADER_TO_EMPTY_DELIMITER";
}
symbol {
weight = 1.0;
description = "Header Cc has no delimiter between header name and header value";
name = "HEADER_CC_EMPTY_DELIMITER";
}
symbol {
weight = 1.0;
description = "Header Reply-To has no delimiter between header name and header value";
name = "HEADER_REPLYTO_EMPTY_DELIMITER";
}
symbol {
weight = 1.0;
description = "Header Date has no delimiter between header name and header value";
name = "HEADER_DATE_EMPTY_DELIMITER";
}
symbol {
weight = 4.0;
description = "Header Received has raw illegal character";
name = "RCVD_ILLEGAL_CHARS";
}
symbol {
weight = 4.0;
description = "Fake helo mail.ru in header Received from non mail.ru sender address";
name = "FAKE_RECEIVED_mail_ru";
}
symbol {
weight = 4.0;
description = "Fake smtp.yandex.ru Received";
name = "FAKE_RECEIVED_smtp_yandex_ru";
}
symbol {
weight = 3.600000;
description = "Forged generic Received";
name = "FORGED_GENERIC_RECEIVED";
}
symbol {
weight = 3.600000;
description = "Forged generic Received";
name = "FORGED_GENERIC_RECEIVED2";
}
symbol {
weight = 3.600000;
description = "Forged generic Received";
name = "FORGED_GENERIC_RECEIVED3";
}
symbol {
weight = 3.600000;
description = "Forged generic Received";
name = "FORGED_GENERIC_RECEIVED4";
}
symbol {
weight = 4.600000;
description = "Forged generic Received";
name = "FORGED_GENERIC_RECEIVED5";
}
symbol {
weight = 3.0;
description = "Invalid Postfix Received";
name = "INVALID_POSTFIX_RECEIVED";
}
symbol {
weight = 5.0;
description = "Invalid Exim Received";
name = "INVALID_EXIM_RECEIVED";
}
symbol {
weight = 3.0;
description = "Invalid Exim Received";
name = "INVALID_EXIM_RECEIVED2";
}
}

+ 146
- 0
conf/modules.conf View File

@@ -0,0 +1,146 @@
# Rspamd modules configuration
fuzzy_check {
servers = "highsecure.ru:11335";
symbol = "R_FUZZY";
min_bytes = 300;
max_score = 10;
mime_types = "application/pdf";
fuzzy_map = {
FUZZY_DENIED {
weight = 10.0;
flag = 1
}
FUZZY_PROB {
weight = 5.0;
flag = 2
}
FUZZY_WHITE {
weight = -2.1;
flag = 3
}
}
}
forged_recipients {
symbol_sender = "FORGED_SENDER";
symbol_rcpt = "FORGED_RECIPIENTS";
}
maillist {
symbol = "MAILLIST";
}
surbl {
whitelist = "file://$CONFDIR/rspamd/surbl-whitelist.inc";
exceptions = "file://$CONFDIR/rspamd/2tld.inc";
rule {
suffix = "multi.surbl.org";
symbol = "SURBL_MULTI";
bits {
JP_SURBL_MULTI = 64;
AB_SURBL_MULTI = 32;
OB_SURBL_MULTI = 16;
PH_SURBL_MULTI = 8;
WS_SURBL_MULTI = 4;
SC_SURBL_MULTI = 2;
}
}
rule {
suffix = "uribl.rambler.ru";
symbol = "RAMBLER_URIBL";
}
rule {
suffix = "dbl.spamhaus.org";
options = "noip";
}
}
rbl {
default_received = false;
default_from = true;

rbls {
spamhaus_zen {
symbol = "RBL_ZEN";
rbl = "zen.spamhaus.org";
ipv4 = true;
ipv6 = true;
}
spamhaus_pbl {
symbol = "RECEIVED_PBL";
rbl = "pbl.spamhaus.org";
ipv4 = true;
ipv6 = true;
received = true;
from = false;
}
spamhaus_pbl {
symbol = "RECEIVED_XBL";
rbl = "xbl.spamhaus.org";
ipv4 = true;
ipv6 = true;
received = true;
from = false;
}
mailspike {
symbol = "RBL_MAILSPIKE";
rbl = "bl.mailspike.net";
}
senderscore {
symbol = "RBL_SENDERSCORE";
rbl = "bl.score.senderscore.com";
}
}
}

chartable {
threshold = 0.300000;
symbol = "R_MIXED_CHARSET";
}
once_received {
good_host = "mail";
bad_host = "static";
bad_host = "dynamic";
symbol_strict = "ONCE_RECEIVED_STRICT";
symbol = "ONCE_RECEIVED";
}
multimap {
spamhaus {
type = "dnsbl";
map = "pbl.spamhaus.org";
symbol = "R_IP_PBL";
description = "PBL dns block list";
}
}
phishing {
symbol = "PHISHING";
}
emails {
rule {
symbol = RAMBLER_EMAILBL;
dnsbl = email-bl.rambler.ru;
domain_only = false;
}
}
spf {
spf_cache_size = 2k;
spf_cache_expire = 1d;
}
dkim {
dkim_cache_size = 2k;
dkim_cache_expire = 1d;
time_jitter = 6h;
trusted_only = false;
skip_multi = false;
}

ratelimit {
limit = "to:100:0.033333333";
limit = "to_ip:30:0.025";
limit = "to_ip_from:20:0.01666666667";
limit = "bounce_to:10:0.000555556";
limit = "bounce_to_ip:5:0.000277778";
whitelisted_rcpts = "postmaster,mailer-daemon";
max_rcpt = 5;
}

regexp {
max_size = 1M;
}

+ 14
- 0
conf/options.conf View File

@@ -0,0 +1,14 @@
# Basic options

options {
pidfile = "$RUNDIR/rspamd.pid";
filters = "chartable,dkim,spf,surbl,regexp";
raw_mode = false;
one_shot = false;
dns_timeout = 1s;
dns_retransmits = 5;
cache_file = "$DBDIR/symbols.cache";
map_watch_interval = 1min;
dynamic_conf = "$DBDIR/rspamd_dynamic";
history_file = "$DBDIR/rspamd.history";
}

+ 17
- 0
conf/rspamd.conf View File

@@ -0,0 +1,17 @@
# A common rspamd configuration file

lua = "$CONFDIR/lua/rspamd.lua"

.include "options.conf"
.include "logging.conf"
.include "metrics.conf"
.include "workers.conf"
.include "composites.conf"

.icnlude "statistic.conf"

.include "modules.conf"

modules {
path = "$PLUGINSDIR/lua/"
}

+ 19
- 0
conf/statistic.conf View File

@@ -0,0 +1,19 @@
# Rspamd statistic setup

classifier {
type = "bayes";
tokenizer = "osb-text";
metric = "default";
min_tokens = 10;
max_tokens = 1000;
statfile {
symbol = "BAYES_HAM";
size = 50M;
path = "$DBDIR/bayes.ham";
}
statfile {
symbol = "BAYES_SPAM";
size = 50M;
path = "$DBDIR/bayes.spam";
}
}

+ 20
- 0
conf/workers.conf View File

@@ -0,0 +1,20 @@
# Common workers configuration

worker {
type = "normal";
bind_socket = "*:11333";
http = false;
allow_learn = true;
mime = true;
}
worker {
type = "controller";
bind_socket = "127.0.0.1:11334";
count = 1;
}
worker {
type = "webui";
count = 1;
bind_socket = "localhost:11336";
password = "q1";
}

Write Preview
Loading…
Cancel
Save