mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21173 Commits
28 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
rspamd/conf/composites.conf

composites.conf 8.1KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. # Composites setup

  2. # Please don't modify this file as your changes might be overwritten with

  3. # the next update.

  4. #

  5. # You can modify 'local.d/composites.conf' to add and merge

  6. # parameters defined inside this section

  7. #

  8. # You can modify 'override.d/composites.conf' to strictly override all

  9. # parameters defined inside this section

  10. #

  11. # See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories

  12. # for details

  13. #

  14. # See https://rspamd.com/doc/tutorials/writing_rules.html and

  15. # https://rspamd.com/doc/configuration/composites.html for details

  16. 

  17. composites {

  18. 

  19.   SHORT_PART_BAD_HEADERS {

  20.     expression = "MISSING_ESSENTIAL_HEADERS & SINGLE_SHORT_PART";

  21.     group = "blankspam";

  22.     policy = "leave";

  23.     score = 7.0;

  24.   }

  25.   FORGED_RECIPIENTS_MAILLIST {

  26.     expression = "FORGED_RECIPIENTS & -MAILLIST";

  27.   }

  28.   FORGED_SENDER_MAILLIST {

  29.     expression = "FORGED_SENDER & -MAILLIST";

  30.   }

  31.   FORGED_SENDER_FORWARDING {

  32.     expression = "FORGED_SENDER & g:forwarding";

  33.     description = "Forged sender, but message is forwarded";

  34.     policy = "remove_weight";

  35.   }

  36.   SPF_FAIL_FORWARDING {

  37.     expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";

  38.     policy = "remove_weight";

  39.   }

  40.   DMARC_POLICY_ALLOW_WITH_FAILURES {

  41.     expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";

  42.     policy = "remove_weight";

  43.   }

  44.   FORGED_RECIPIENTS_FORWARDING {

  45.     expression = "FORGED_RECIPIENTS & g:forwarding";

  46.     policy = "remove_weight";

  47.   }

  48.   FORGED_SENDER_VERP_SRS {

  49.     expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";

  50.   }

  51.   FORGED_MUA_MAILLIST {

  52.     expression = "g:mua & -MAILLIST";

  53.   }

  54.   AUTH_NA {

  55.     expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";

  56.     score = 1.0;

  57.     policy = "remove_weight";

  58.     description = "Authenticating message via SPF/DKIM/DMARC/ARC not available";

  59.   }

  60.   AUTH_NA_OR_FAIL {

  61.     expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)";

  62.     score = 1.0;

  63.     policy = "remove_weight";

  64.     description = "No authenticating method SPF/DKIM/DMARC/ARC was successful";

  65.   }

  66.   BOUNCE_NO_AUTH {

  67.     expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)";

  68.     score = 1.0;

  69.   }

  70.   DKIM_MIXED {

  71.     expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"

  72.     policy = "remove_weight";

  73.   }

  74.   APPLE_MAILER_COMMON {

  75.     description = "Message was sent by 'Apple Mail' and has common symbols in place";

  76.     expression = "APPLE_MAILER & MV_CASE";

  77.   }

  78.   APPLE_IOS_MAILER_COMMON {

  79.     description = "Message was sent by 'Apple iOS Mail' and has common symbols in place";

  80.     expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)";

  81.   }

  82.   HACKED_WP_PHISHING {

  83.     expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";

  84.     description = "Phish message sent by hacked Wordpress instance";

  85.     policy = "leave";

  86.     group = "compromised_hosts";

  87.   }

  88.   COMPROMISED_ACCT_BULK {

  89.     expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";

  90.     description = "Likely to be from a compromised account";

  91.     score = 3.0;

  92.     policy = "leave";

  93.     group = "compromised_hosts";

  94.   }

  95.   UNDISC_RCPTS_BULK {

  96.     expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";

  97.     description = "Missing or undisclosed recipients with a bulk signature";

  98.     score = 3.0;

  99.     policy = "leave";

  100.   }

  101.   RCVD_UNAUTH_PBL {

  102.     expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH";

  103.     description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)";

  104.     score = 2.0;

  105.     policy = "leave";

  106.   }

  107.   RCVD_DKIM_ARC_DNSWL_MED {

  108.     expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";

  109.     description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";

  110.     score = -0.5;

  111.     policy = "leave";

  112.   }

  113.   RCVD_DKIM_ARC_DNSWL_HI {

  114.     expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";

  115.     description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";

  116.     score = -1.0;

  117.     policy = "leave";

  118.   }

  119.   AUTOGEN_PHP_SPAMMY {

  120.     expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";

  121.     description = "Message was generated by PHP script and contains some spam indicators";

  122.     score = 1.0;

  123.     policy = "leave";

  124.   }

  125.   PHISH_EMOTION {

  126.     expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";

  127.     description = "Phish message with subject trying to address users emotion";

  128.     score = 1.0;

  129.     policy = "leave";

  130.   }

  131.   HAS_ANON_DOMAIN {

  132.     expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";

  133.     description = "Contains one or more domains trying to disguise owner/destination";

  134.     score = 0.1;

  135.     policy = "leave";

  136.   }

  137.   BAD_REP_POLICIES {

  138.     description = "Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL";

  139.     expression = "(~g-:policies) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)";

  140.     score = 0.1;

  141.   }

  142.   VIOLATED_DIRECT_SPF {

  143.     description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";

  144.     expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";

  145.     policy = "leave";

  146.     score = 3.5;

  147.   }

  148.   IP_SCORE_FREEMAIL {

  149.     description = "Negate IP_SCORE when message comes from FreeMail";

  150.     expression = "FREEMAIL_FROM & SENDER_REP_SPAM";

  151.     score = 0.0;

  152.     policy = "remove_weight";

  153.   }

  154.   BROKEN_HEADERS_MAILLIST {

  155.     description = "Negate BROKEN_HEADERS when message comes via some mailing list";

  156.     expression = "BROKEN_HEADERS & -MAILLIST";

  157.     score = 0.0;

  158.     policy = "remove_weight";

  159.   }

  160.   LEAKED_PASSWORD_SCAM {

  161.     description = "Contains BTC wallet address and scam patterns";

  162.     expression = "BITCOIN_ADDR & (LEAKED_PASSWORD_SCAM_RE | R_MIXED_CHARSET | R_EMPTY_IMAGE)";

  163.     policy = "leave";

  164.     score = 7.0;

  165.     group = "scams";

  166.   }

  167.   FREEMAIL_AFF {

  168.     expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";

  169.     score = 4.0;

  170.     policy = "leave";

  171.     description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";

  172.     group = "scams";

  173.   }

  174.   SUSPICIOUS_MDN {

  175.     expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)";

  176.     score = 2.0;

  177.     policy = "leave";

  178.     description = "Message delivery notification should go to freemail or disposable e-mail, but message was not sent from a freemail address";

  179.     group = "scams";

  180.   }

  181.   REDIRECTOR_URL_ONLY {

  182.     expression = "HFILTER_URL_ONLY & REDIRECTOR_URL";

  183.     score = 1.0;

  184.     policy = "leave";

  185.     description = "Message only contains a redirector URL";

  186.   }

  187.   SUSPICIOUS_AUTH_ORIGIN {

  188.     expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)";

  189.     score = 0.0;

  190.     policy = "leave";

  191.     description = "Message authenticated, but from a suspicios origin (potentially an injector)";

  192.   }

  193.   ABUSE_FROM_INJECTOR {

  194.     expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)";

  195.     score = 2.0;

  196.     policy = "leave";

  197.     description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account";

  198.     group = "compromised_hosts";

  199.   }

  200.   SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {

  201.     expression = "(REDIRECTOR_URL | HAS_ANON_DOMAIN | HAS_IPFS_GATEWAY_URL) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)";

  202.     score = 1.0;

  203.     policy = "leave";

  204.     description = "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL";

  205.   }

  206. 

  207.   .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"

  208.   .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

  209. }