[Minor] unify rule scores and weights and improve descriptionstags/1.9.2
# Fuzzy flag | # Fuzzy flag | ||||
#fuzzy_flag = 1; | #fuzzy_flag = 1; | ||||
# Fuzzy weight | # Fuzzy weight | ||||
#fuzzy_weight = 10; | |||||
#fuzzy_weight = 10.0; | |||||
# Redis key prefix | # Redis key prefix | ||||
#key_prefix = 'sptr_'; | #key_prefix = 'sptr_'; | ||||
# Skip spamtrap checks for authorized users | # Skip spamtrap checks for authorized users |
symbols = { | symbols = { | ||||
"FORGED_SENDER" { | "FORGED_SENDER" { | ||||
weight = 0.30; | |||||
weight = 0.3; | |||||
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; | description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; | ||||
} | } | ||||
"R_MIXED_CHARSET" { | "R_MIXED_CHARSET" { | ||||
weight = -0.2; | weight = -0.2; | ||||
description = "Message seems to be from maillist"; | description = "Message seems to be from maillist"; | ||||
} | } | ||||
} | |||||
} |
symbols = { | symbols = { | ||||
"HFILTER_HELO_BAREIP" { | "HFILTER_HELO_BAREIP" { | ||||
weight = 3.00; | |||||
weight = 3.0; | |||||
description = "Helo host is bare ip"; | description = "Helo host is bare ip"; | ||||
} | } | ||||
"HFILTER_HELO_BADIP" { | "HFILTER_HELO_BADIP" { | ||||
weight = 4.50; | |||||
weight = 4.5; | |||||
description = "Helo host is very bad ip"; | description = "Helo host is very bad ip"; | ||||
} | } | ||||
"HFILTER_HELO_1" { | "HFILTER_HELO_1" { | ||||
description = "Helo host checks (very low)"; | description = "Helo host checks (very low)"; | ||||
} | } | ||||
"HFILTER_HELO_2" { | "HFILTER_HELO_2" { | ||||
weight = 1.00; | |||||
weight = 1.0; | |||||
description = "Helo host checks (low)"; | description = "Helo host checks (low)"; | ||||
} | } | ||||
"HFILTER_HELO_3" { | "HFILTER_HELO_3" { | ||||
weight = 2.00; | |||||
weight = 2.0; | |||||
description = "Helo host checks (medium)"; | description = "Helo host checks (medium)"; | ||||
} | } | ||||
"HFILTER_HELO_4" { | "HFILTER_HELO_4" { | ||||
weight = 2.50; | |||||
weight = 2.5; | |||||
description = "Helo host checks (hard)"; | description = "Helo host checks (hard)"; | ||||
} | } | ||||
"HFILTER_HELO_5" { | "HFILTER_HELO_5" { | ||||
weight = 3.00; | |||||
weight = 3.0; | |||||
description = "Helo host checks (very hard)"; | description = "Helo host checks (very hard)"; | ||||
} | } | ||||
"HFILTER_HOSTNAME_1" { | "HFILTER_HOSTNAME_1" { | ||||
description = "Hostname checks (very low)"; | description = "Hostname checks (very low)"; | ||||
} | } | ||||
"HFILTER_HOSTNAME_2" { | "HFILTER_HOSTNAME_2" { | ||||
weight = 1.00; | |||||
weight = 1.0; | |||||
description = "Hostname checks (low)"; | description = "Hostname checks (low)"; | ||||
} | } | ||||
"HFILTER_HOSTNAME_3" { | "HFILTER_HOSTNAME_3" { | ||||
weight = 2.00; | |||||
weight = 2.0; | |||||
description = "Hostname checks (medium)"; | description = "Hostname checks (medium)"; | ||||
} | } | ||||
"HFILTER_HOSTNAME_4" { | "HFILTER_HOSTNAME_4" { | ||||
weight = 2.50; | |||||
weight = 2.5; | |||||
description = "Hostname checks (hard)"; | description = "Hostname checks (hard)"; | ||||
} | } | ||||
"HFILTER_HOSTNAME_5" { | "HFILTER_HOSTNAME_5" { | ||||
weight = 3.00; | |||||
weight = 3.0; | |||||
description = "Hostname checks (very hard)"; | description = "Hostname checks (very hard)"; | ||||
} | } | ||||
"HFILTER_HELO_NORESOLVE_MX" { | "HFILTER_HELO_NORESOLVE_MX" { | ||||
weight = 0.20; | |||||
weight = 0.2; | |||||
description = "MX found in Helo and no resolve"; | description = "MX found in Helo and no resolve"; | ||||
} | } | ||||
"HFILTER_HELO_NORES_A_OR_MX" { | "HFILTER_HELO_NORES_A_OR_MX" { | ||||
description = "Helo no resolve to A or MX"; | description = "Helo no resolve to A or MX"; | ||||
} | } | ||||
"HFILTER_HELO_IP_A" { | "HFILTER_HELO_IP_A" { | ||||
weight = 1.00; | |||||
weight = 1.0; | |||||
description = "Helo A IP != hostname IP"; | description = "Helo A IP != hostname IP"; | ||||
} | } | ||||
"HFILTER_HELO_NOT_FQDN" { | "HFILTER_HELO_NOT_FQDN" { | ||||
weight = 2.00; | |||||
weight = 2.0; | |||||
description = "Helo not FQDN"; | description = "Helo not FQDN"; | ||||
} | } | ||||
"HFILTER_FROMHOST_NORESOLVE_MX" { | "HFILTER_FROMHOST_NORESOLVE_MX" { | ||||
description = "MX found in FROM host and no resolve"; | description = "MX found in FROM host and no resolve"; | ||||
} | } | ||||
"HFILTER_FROMHOST_NORES_A_OR_MX" { | "HFILTER_FROMHOST_NORES_A_OR_MX" { | ||||
weight = 1.50; | |||||
weight = 1.5; | |||||
description = "FROM host no resolve to A or MX"; | description = "FROM host no resolve to A or MX"; | ||||
} | } | ||||
"HFILTER_FROMHOST_NOT_FQDN" { | "HFILTER_FROMHOST_NOT_FQDN" { | ||||
weight = 3.00; | |||||
weight = 3.0; | |||||
description = "FROM host not FQDN"; | description = "FROM host not FQDN"; | ||||
} | } | ||||
"HFILTER_FROM_BOUNCE" { | "HFILTER_FROM_BOUNCE" { | ||||
weight = 0.00; | |||||
weight = 0.0; | |||||
description = "Bounce message"; | description = "Bounce message"; | ||||
} | } | ||||
/* | /* | ||||
# Disabled by default | # Disabled by default | ||||
"HFILTER_MID_NORESOLVE_MX" { | "HFILTER_MID_NORESOLVE_MX" { | ||||
weight = 0.50; | |||||
weight = 0.5; | |||||
description = "MX found in Message-id host and no resolve"; | description = "MX found in Message-id host and no resolve"; | ||||
} | } | ||||
"HFILTER_MID_NORES_A_OR_MX" { | "HFILTER_MID_NORES_A_OR_MX" { | ||||
weight = 0.50; | |||||
weight = 0.5; | |||||
name = ; | name = ; | ||||
description = "Message-id host no resolve to A or MX"; | description = "Message-id host no resolve to A or MX"; | ||||
} | } | ||||
"HFILTER_MID_NOT_FQDN" { | "HFILTER_MID_NOT_FQDN" { | ||||
weight = 0.50; | |||||
weight = 0.5; | |||||
description = "Message-id host not FQDN"; | description = "Message-id host not FQDN"; | ||||
} | } | ||||
*/ | */ | ||||
"HFILTER_HOSTNAME_UNKNOWN" { | "HFILTER_HOSTNAME_UNKNOWN" { | ||||
weight = 2.50; | |||||
weight = 2.5; | |||||
description = "Unknown client hostname (PTR or FCrDNS verification failed)"; | description = "Unknown client hostname (PTR or FCrDNS verification failed)"; | ||||
} | } | ||||
"HFILTER_RCPT_BOUNCEMOREONE" { | "HFILTER_RCPT_BOUNCEMOREONE" { | ||||
weight = 1.50; | |||||
weight = 1.5; | |||||
description = "Message from bounce and over 1 recipient"; | description = "Message from bounce and over 1 recipient"; | ||||
} | } | ||||
"HFILTER_URL_ONLY" { | "HFILTER_URL_ONLY" { | ||||
weight = 2.20; | |||||
weight = 2.2; | |||||
description = "URL only in body"; | description = "URL only in body"; | ||||
} | } | ||||
"HFILTER_URL_ONELINE" { | "HFILTER_URL_ONELINE" { | ||||
weight = 2.50; | |||||
weight = 2.5; | |||||
description = "One line URL and text in body"; | description = "One line URL and text in body"; | ||||
} | } | ||||
} | } |
groups = ["dnswl"]; | groups = ["dnswl"]; | ||||
} | } | ||||
"DWL_DNSWL_LOW" { | "DWL_DNSWL_LOW" { | ||||
weight = -1; | |||||
weight = -1.0; | |||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust"; | description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust"; | ||||
groups = ["dnswl"]; | groups = ["dnswl"]; | ||||
} | } | ||||
"DWL_DNSWL_MED" { | "DWL_DNSWL_MED" { | ||||
weight = -2; | |||||
weight = -2.0; | |||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust"; | description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust"; | ||||
groups = ["dnswl"]; | groups = ["dnswl"]; | ||||
} | } |
groups = ["spamhaus"]; | groups = ["spamhaus"]; | ||||
} | } | ||||
"DBL_PROHIBIT" { | "DBL_PROHIBIT" { | ||||
weight = 0.00000; | |||||
weight = 0.0; | |||||
description = "DBL uribl IP queries prohibited!"; | description = "DBL uribl IP queries prohibited!"; | ||||
groups = ["spamhaus"]; | groups = ["spamhaus"]; | ||||
} | } |
return false | return false | ||||
end, | end, | ||||
score = 0.0, | score = 0.0, | ||||
description = "Message was forwarded using SRS", | |||||
description = "Message was forwarded using Sender Rewriting Scheme (SRS)", | |||||
group = "forwarding" | group = "forwarding" | ||||
} | } | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'No received', | |||||
description = 'Message has no Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'One received', | |||||
description = 'Message has one Received header', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Two received', | |||||
description = 'Message has two Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = '3-5 received', | |||||
description = 'Message has 3-5 Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = '5-7 received', | |||||
description = 'Message has 5-7 Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = '7-11 received', | |||||
description = 'Message has 7-11 Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = rcvd_cb_id, | parent = rcvd_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = '12+ received', | |||||
description = 'Message has 12 or more Received headers', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
score = 0.0, | score = 0.0, | ||||
parent = prio_cb_id, | parent = prio_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Priority 0', | |||||
description = 'Message has X-Priority header set to 0', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = prio_cb_id, | parent = prio_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Priority 1', | |||||
description = 'Message has X-Priority header set to 1', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = prio_cb_id, | parent = prio_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Priority 2', | |||||
description = 'Message has X-Priority header set to 2', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = prio_cb_id, | parent = prio_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Priority 3-4', | |||||
description = 'Message has X-Priority header set to 3 or 4', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
score = 0.0, | score = 0.0, | ||||
parent = prio_cb_id, | parent = prio_cb_id, | ||||
type = 'virtual', | type = 'virtual', | ||||
description = 'Priority 5+', | |||||
description = 'Message has X-Priority header set to 5 or higher', | |||||
group = 'headers', | group = 'headers', | ||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
name = 'FROM_NO_DN', | name = 'FROM_NO_DN', | ||||
score = 0, | |||||
score = 0.0, | |||||
group = 'headers', | group = 'headers', | ||||
parent = check_from_id, | parent = check_from_id, | ||||
type = 'virtual', | type = 'virtual', |
name = 'TAGGED_RCPT', | name = 'TAGGED_RCPT', | ||||
description = 'SMTP recipients have plus tags', | description = 'SMTP recipients have plus tags', | ||||
group = 'headers', | group = 'headers', | ||||
score = 0, | |||||
score = 0.0, | |||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
type = 'virtual', | type = 'virtual', | ||||
name = 'TAGGED_FROM', | name = 'TAGGED_FROM', | ||||
description = 'SMTP from has plus tags', | description = 'SMTP from has plus tags', | ||||
group = 'headers', | group = 'headers', | ||||
score = 0, | |||||
score = 0.0, | |||||
} | } | ||||
local check_from_display_name = rspamd_config:register_symbol{ | local check_from_display_name = rspamd_config:register_symbol{ | ||||
name = 'SPOOF_DISPLAY_NAME', | name = 'SPOOF_DISPLAY_NAME', | ||||
description = 'Display name is being used to spoof and trick the recipient', | description = 'Display name is being used to spoof and trick the recipient', | ||||
group = 'headers', | group = 'headers', | ||||
score = 8, | |||||
score = 8.0, | |||||
} | } | ||||
rspamd_config:register_symbol{ | rspamd_config:register_symbol{ | ||||
name = 'FROM_NEQ_DISPLAY_NAME', | name = 'FROM_NEQ_DISPLAY_NAME', | ||||
group = 'headers', | group = 'headers', | ||||
description = 'Display name contains an email address different to the From address', | description = 'Display name contains an email address different to the From address', | ||||
score = 4, | |||||
score = 4.0, | |||||
} | } | ||||
rspamd_config.SPOOF_REPLYTO = { | rspamd_config.SPOOF_REPLYTO = { |
reconf['MICROSOFT_SPAM'] = { | reconf['MICROSOFT_SPAM'] = { | ||||
-- https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx | -- https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx | ||||
re = 'X-Forefront-Antispam-Report=/SFV:SPM/H', | re = 'X-Forefront-Antispam-Report=/SFV:SPM/H', | ||||
score = 4, | |||||
score = 4.0, | |||||
description = "Microsoft says the message is spam", | description = "Microsoft says the message is spam", | ||||
group = 'upstream_spam_filters' | group = 'upstream_spam_filters' | ||||
} | } | ||||
reconf['AOL_SPAM'] = { | reconf['AOL_SPAM'] = { | ||||
re = 'X-AOL-Global-Disposition=/^S/H', | re = 'X-AOL-Global-Disposition=/^S/H', | ||||
score = 5, | |||||
score = 5.0, | |||||
description = "AOL says this message is spam", | description = "AOL says this message is spam", | ||||
group = 'upstream_spam_filters' | group = 'upstream_spam_filters' | ||||
} | } | ||||
reconf['KLMS_SPAM'] = { | reconf['KLMS_SPAM'] = { | ||||
re = 'X-KLMS-AntiSpam-Status=/^spam/H', | re = 'X-KLMS-AntiSpam-Status=/^spam/H', | ||||
score = 5, | |||||
score = 5.0, | |||||
description = "Kaspersky Security for Mail Server says this message is spam", | description = "Kaspersky Security for Mail Server says this message is spam", | ||||
group = 'upstream_spam_filters' | group = 'upstream_spam_filters' | ||||
} | } | ||||
'X-Spam-Flag=/^(?:yes|true)/Hi', | 'X-Spam-Flag=/^(?:yes|true)/Hi', | ||||
'X-Spam=/^(?:yes|true)/Hi', | 'X-Spam=/^(?:yes|true)/Hi', | ||||
'X-Spam-Status=/^(?:yes|true)/Hi'), | 'X-Spam-Status=/^(?:yes|true)/Hi'), | ||||
score = 5, | |||||
score = 5.0, | |||||
description = "Message was already marked as spam", | description = "Message was already marked as spam", | ||||
group = 'upstream_spam_filters' | group = 'upstream_spam_filters' | ||||
} | } | ||||
reconf['UNITEDINTERNET_SPAM'] = { | reconf['UNITEDINTERNET_SPAM'] = { | ||||
re = 'X-UI-Out-Filterresults=/^junk:/H', | re = 'X-UI-Out-Filterresults=/^junk:/H', | ||||
score = 5, | |||||
score = 5.0, | |||||
description = "United Internet says this message is spam", | description = "United Internet says this message is spam", | ||||
group = 'upstream_spam_filters' | group = 'upstream_spam_filters' | ||||
} | } |